GDPR: when should data be deleted?

Under GDPR, it’s important that personal data is erased once it’s no longer needed for its original purpose. Companies have to stick to strict data retention rules, which means they can’t keep info longer than they should. People also have the power to ask for their data to be deleted, thanks to the “right to be forgotten” under Article 17. This can happen if, say, the data’s no longer relevant, consent’s been pulled, or if the info wasn’t handled properly in the first place. Organisations are expected to regularly review and audit how long they keep data to stay on track with GDPR’s principles of reducing unnecessary storage.