How should data associated with deprovisioned accounts be handled for compliance?

When handling data for deprovisioned accounts, the guiding idea is to manage information in line with policy, balancing security, privacy, and regulatory or legal retention needs. First, revoke access so no active credentials or permissions remain for the former user, and remove them from systems, groups, and integrations. Then handle the associated data by archiving or deleting according to the organization’s retention policy and any applicable laws, while preserving only what is required for audits, investigations, or business needs. Secure any retained data so it’s protected against tampering and access is tightly controlled, and ensure the retention period is enforced. If there are legal holds or ongoing investigations, preserve the data accordingly. This is why the best approach is to archive or delete according to policy, ensure no active credentials remain, and secure retained data for audits while respecting retention requirements. The other options fail to balance access management, retention obligations, and auditability: leaving data indefinitely ignores retention rules; deleting data immediately and purging logs can hinder audits and regulatory obligations; archiving everything regardless of retention needs can waste resources and violate privacy or retention policies.