Records containing personal data should be tagged, on creation or receipt, along with their retention rules. With 60% of records being unstructured, meaning records are not in a formal database or file structure, this becomes increasingly crucial.
A data flow map should be created to show where personal data resides and how it is shared or moved between applications or repositories; internal or external. This is mandatory for some privacy laws and helps identify sources of breached data.
As information moves through your business workflows you need an easy way to identify retention requirements. In the age of increased privacy regulations, keeping everything forever is no longer an option.
Destroy digital data as soon as possible after the retention requirement is met. Furthermore, if data is going to be used for machine learning, anonymize personal data.