Re: Might be of interest if you're puzzled
“(which largely comes down to only holding onto data for which you have explicit permission and a legitimate reason, regularly checking to ensure you still have permission, and not passing anything on without explicit permission)”
Doesn’t “business interest” act as a valid reason by itself under GDPR ? If a business needs its IT department to restore a sacked ex employees emails from backup as part of a related legal investigation, and those emails contained PII data, would you also need to have explicit permission ? Surely not ?