When data has reached the end of the retention period, it should be:

When data reaches the end of its retention period, it should typically be destroyed to ensure that sensitive information is no longer accessible or at risk of being misused. Destruction of data is a critical aspect of data lifecycle management and compliance with various privacy and security regulations, such as GDPR or HIPAA, which mandate that personal data must not be kept longer than necessary.

Destroying data helps to mitigate risks associated with data breaches, unauthorized access, and potential legal liabilities. It ensures that organizations do not hold onto outdated information that could pose a risk either to their operations or to individuals whose data was collected.

In contrast, options like archiving, enhancing, or selling do not align with the standard practice once data has reached its retention limit. Archiving may be relevant for data that still has value or needs to be maintained for future reference, enhancing does not apply as it implies increasing data value rather than handling it post-retention, and selling is typically not an appropriate action for expired data, especially sensitive information, due to legal and ethical considerations.