You'll need to be able to delete certain customer data in response to a valid request. To do so, you need to be able to find and review all such data, not just in databases, but also in unstructured and semi-structured forms such as file shares, SharePoint and email, and even paper files if they're in a filing system.
You also won't be able to keep backups of this data longer than is necessary for operational restore purposes (more on that below).
The rule is that you shouldn’t keep personal data for longer than is necessary for the purpose for which it was collected.
There are five exceptions to this, one of which is:
2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This addresses the need to meet other regulatory requirements that you mentioned.
You'll need to keep a metadata record of what you have deleted.
In the event that you have to restore data from a backup for operational purposes, you need to cross reference it to the record of deletions that occurred since the backup was created to ensure that any such data is either not restored, or is immediately deleted again.
This is only a fraction of an organization's obligations under GDPR, being those most directly relevant to your question.
Disclosure: I work for a company that provide solutions in this space.
Pretty much exactly this and clearly your knowledge is greater than mine.
I'm still finding everywhere we store data and fixing as much security stuff as fast I can (some of it I'm not sure programmers on here would believe).
It's a gargantuan task.
Which company do you work for if you don't mind me asking? (If you do no worries :) )
Can you explain in more detail to how the GDPR applies to unstructured forms? Would those be forms specifically for inputing personal data, or any free text at all?
Any personal data is subject, whether it is contained in Word documents, PowerPoints (that could be image based scans that will need to be OCRd to make them discoverable), spreadsheets, text files, database dumps, PST files, CSV files, etc, etc.
If it contains personal data on an EU natural person regardless of where the company is based is based, or on any natural person anywhere if the company is EU based, it is subject to the GDPR.
My question is more, what if you don't know it has personal data? Say you're just a generic document storage & sharing service, and someone uploads a generic PDF or Word, but which happens to contain personal data. Surely you're not expect to treat any possible data you receive as personal, just in case?
You also won't be able to keep backups of this data longer than is necessary for operational restore purposes (more on that below).
The rule is that you shouldn’t keep personal data for longer than is necessary for the purpose for which it was collected.
There are five exceptions to this, one of which is:
2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This addresses the need to meet other regulatory requirements that you mentioned.
You'll need to keep a metadata record of what you have deleted.
In the event that you have to restore data from a backup for operational purposes, you need to cross reference it to the record of deletions that occurred since the backup was created to ensure that any such data is either not restored, or is immediately deleted again.
This is only a fraction of an organization's obligations under GDPR, being those most directly relevant to your question.
Disclosure: I work for a company that provide solutions in this space.