Organization may store personal data only when there is a legitimate reason for data retention. Retaining redundant or unnecessary data exposes the organization to security threats. Anyone can be breached or hacked.
GDPR emphasizes data minimization, both in terms of the amount of data stored and the duration of their storage. Summarizing the legal requirements, Art. 5 GDPR states that data retention may not take longer than it is necessary for the purposes for which they are processed. The retention period of personal data should be limited to a strict minimum. Therefore, organizations must ensure that personal data is safely deleted when it is no longer needed.