The data removal or data erasure is triggered by the expiry of the data retention period. When the data retention period expires, any further processing of the data by the Organization becomes illegal.
In order to minimize the risk of non-compliance, once the data retention period expires, the Organization must remove personal data from its systems. Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.
In order to schedule data removal in a compliant way, the prerequisite is to keep a compliant Records of processing activities (ROPA) and to have a 360° view of Data Subject’s personal data processing.