I'm taking over support for a Moodle site that has been operational for about 5 years. I'm taking a look through our compliance documents, and noted that we had not set up our "Purpose" and "Categories" in the data privacy area. However, we have had our privacy policy on the site since implementing GDPR a few years ago.
I've added these, including a retention period of 3 years for all user content.
However, when I go to the "Data deletion" section, which shows "data for which the retention period has expired", nothing is listed. I've checked my user table, and there are hundreds of accounts that should be flagged (because they have not been accessed for 3+ years).
I'm trying to understand this. Does the retention period only apply to data collected after these settings are applied? Have I done something wrong? Or is there just something I'm missing?