Your company has acquired a healthcare startup and must retain its customers' medical information for a period of up to 4 years, based on the creation date. Corporate policy requires this data to be stored securely and then deleted immediately once regulatory requirements are met.

Which approach should you take?