Information security emphasize the measures that are in place to protect the information. It is a question about encryption, access procedures and controls, log monitoring etc., while privacy specialist’s second question (after asking what kind of personal data you collect) is why the data is collected and stored? In other words, personal data cannot be stored indefinitely even if the security of the data is on a sufficient level and the access rights are limited. Often, privacy specialist finds out that data once collected for a certain purpose, is not used for the purpose anymore. For some reasons the data is no longer valid, or the business purpose does not exist anymore, but the data is still kept just in case it will be needed for another purpose or juts because nobody is interested in cleaning. However, adequate level in protecting the security of personal data is not enough, because the data can be retained only if it’s still needed for the purposes defined. If you are unable to define a purpose, you may need to erase or anonymize the data. If the purpose is defined check that privacy notice is up-to-date.