So true! I work at a university and deal with a LOT of personal data in multiple locations across many divisions.

You also have to remember that the data is in backups and archived data, so scrubbing live data isn't sufficient.

You also have to remember that the data is in backups and archived data, so scrubbing live data isn't sufficient.

Without forgetting that the EU GDPR includes the right to have your personal data deleted, meaning that, at the request of a EU citizen, you have to be able to remove his/her data from your backups as well.

Right, like I said. :)

And then .... wait for it....

There will be challenges for such breaking law enforcement needs, accounting practices, and other oddities of "doing business".

One of the classic cake-and-eat-it-too conundrums of a tcch society.

How much, how far, how detailed, and who gets to manage it, and IF YOU CAN MAKE IT DISAPPEAR how,, in certain circumstances, can civil necessities be documented and accomplished?

We live in interesting times.

GDPR expressly allows you to refuse to delete data where you may need to to discharge legal responsibilities. This covers taxes and accounting.

You may need to pseudonymise it, however. This essentially means that all the "operational" data (like what was ordered, where it shipped, how much it cost) can be tied to an identifier, then the identity held elsewhere (to be reassembled if required, while effectively anonymous if not).

I do think this disassemble/reassemble of sales data opens up whole new opportunities to launder money.

_____

Imagine a gigantic corporate, using tape backup at the end of their data-handling chain. If I ask them to to delete me, will they reasonably re-write that tape backup? I don't think so.

Also, the EU GDPR mentions that, you have to ensure that data collected before the enforcement are also compliant with the GDPR. For example, if you didn't recorded the explicit consent from a user to record such or such data, you have to obtain this consent now. Same, if you recorded data , and archived them. You 'll have to go through your archives to delete them.

It should not be forgotten consent is one of the legal basis for processing private information, there is also legitimate interest which in some circumstances is also ok as a legal basis.

...legitimate interest which in some circumstances is also ok as a legal basis...

In that case, Interested based ads tracking is also a legitimate interest, since this is to improve users' experience, by providing them with ads which are interesting, instead of bothering them with other ads.... there is a survey somewhere which said that xx % of people prefered to see ads targetted to their interest than random ads ...

Collecting private data and selling them to marketers is also a legitimate interest since like that it allows to offer a free service, in exchange, etc, etc...