Who has changed their retention policies, and what is your standard 30 days of full backups? Is it 90, 1 year?

As I have researched best practices for "backup copy" retention, one of the things that became a question is: Do "backup copies" need to follow the same retention cycle as active and/or archived data?  
If your backup "copy" is specifically and only retained for worst case disaster recovery scenario, then is it necessary to maintain that copy in an immutable data vault beyond a 30-to-90-day retention window?  
Is there a need to retain full system backup "copies" for up to a year for potential forensic analysis if your business partners say that it would be difficult at best to return to business as usual if you had to restore from 30+ day old backups?

Ultimately, you need to follow the business and regulatory requirements for data retention for active and archived data, your organization must then decide if backup "copies" must also follow that same retention cycle.  Make whatever retention cycle for backup copies you choose into policy and standards and govern it.

It would be helpful if you could provide some clarity. Retention policies generally depend on your business, data, and regulatory or compliance requirements. For example, finance and healthcare sectors may need to retain data for a specific number of years based on their domicile and local regulatory needs. In contrast, the EU has different requirements, such as not allowing organizations to store data for more than a certain number of months if the user is inactive. In summary, business needs, regulatory requirements, compliance, and laws should govern retention policies. If there are no specific requirements, and the data is not critical, consider reducing the retention period to less than 30 days if applicable.