[njb311]

I wouldn’t say the _whole point_ becomes moot. As you have to have a legal basis for each type of data that you are storing or processing, relying on different legal bases can add complexity to the problem of a deletion request. Just because you have to retain some information does not give a free pass to retain everything.

Also, remember that data subjects have a right to limit the purposes for which their data is used – systems need to be able to cope with that.

This is where a well thought-out and documented approach to personal information makes everything easier, for internal users of that data too. For legacy systems it can be a nightmare because nobody seemed to care, but with a clean sheet, _why wouldn’t you_ address data protection and privacy from the outset?