We should be able to GDPR delete it
Can't we at least use the GDPR individually to have any data they do have on us deleted. OK in the absence of a gigantic data breach you could argue Equifax has a right to hold credit data the banks have asked for the right to transfer to them; but following such an egregious breach it ought to be fair reason to demand Equifax delete everything they have on you (because they can't be trusted to keep it secure) under the GDPR and without any "necessary for business" exclusions.
Biting the hand that feeds IT
