If companies get in the mindset that storing client data is a big liability they might decide that archiving everything and anything forever might not be such a clever decision after all.
I think this would be a stronger argument if other EU laws didn't actively require the collection and long-term retention of some of the most important personal information, including identity and financial details, for other purposes such as VAT audits. Such obligations often preclude otherwise reasonable data management strategies like encrypting all personal data with a per-account key that can be easily deleted and thus render everything connected with a given account permanently inaccessible in the event of an erasure request etc.
Instead, data controllers are in principle supposed to keep track of every possible purpose for which personal data could be processed, even those originating in theoretical legal requirements that are rarely if ever used in practice, as they applied at the time each item of personal data was first collected and at all times since; to retain each individual data point for as long as any purpose for which it might be needed continues to apply; and then to delete that data promptly once its final purpose is no longer relevant.
I suggest that few if any data controllers are actually doing this. Instead I suspect almost everyone who is trying in good faith to comply with the GDPR is using sufficiently generic purposes and blanket provisions to simplify their position to a manageable level of complexity. (How many privacy policies have you read since GDPR came out that actually stated a concrete time period for retaining each category of personal data being processed, and how may have you seen that rely on abstract wording about keeping the data for as long as any stated purpose applies or something similar?) No doubt many other organisations are simply not complying with the GDPR rules about retention and deletion at all, perhaps through ignorance, or perhaps as a deliberate choice that they hope to get away with.
I think this would be a stronger argument if other EU laws didn't actively require the collection and long-term retention of some of the most important personal information, including identity and financial details, for other purposes such as VAT audits. Such obligations often preclude otherwise reasonable data management strategies like encrypting all personal data with a per-account key that can be easily deleted and thus render everything connected with a given account permanently inaccessible in the event of an erasure request etc.
Instead, data controllers are in principle supposed to keep track of every possible purpose for which personal data could be processed, even those originating in theoretical legal requirements that are rarely if ever used in practice, as they applied at the time each item of personal data was first collected and at all times since; to retain each individual data point for as long as any purpose for which it might be needed continues to apply; and then to delete that data promptly once its final purpose is no longer relevant.
I suggest that few if any data controllers are actually doing this. Instead I suspect almost everyone who is trying in good faith to comply with the GDPR is using sufficiently generic purposes and blanket provisions to simplify their position to a manageable level of complexity. (How many privacy policies have you read since GDPR came out that actually stated a concrete time period for retaining each category of personal data being processed, and how may have you seen that rely on abstract wording about keeping the data for as long as any stated purpose applies or something similar?) No doubt many other organisations are simply not complying with the GDPR rules about retention and deletion at all, perhaps through ignorance, or perhaps as a deliberate choice that they hope to get away with.