Define what you truly need to collect, and set clear retention periods for each data category. Make sure there’s a process (manual or automated) to actually delete or anonymize data when those periods expire.
The Evidence Question to Ask Yourself: Can you show what data you keep, why you keep it, and when it’s deleted or anonymized?
