Like a penetration test or a security test, you don't know where you're out of compliance until you perform an audit; you don't normally shut down your site in the meantime.
The correct way to comply with this is to suggest that you don't believe that you're out of compliance, and to request specific guidance on which particular datasets aren't in compliance that should be removed.
The correct way to comply with this is to suggest that you don't believe that you're out of compliance, and to request specific guidance on which particular datasets aren't in compliance that should be removed.