hen GDPR took effect, the 25th of May 2018, the same rules applies to all personal data, even if it occurs in previously unregulated and unstructured data sources.
Each document and email that the organization possesses must therefore be reviewed to determine if it contains personal data. If they do, a legal assessment must be conducted to identify the legal ground for saving it, and this assessment must also be documented. This review, assessment and documentation will take at least ten years of work – per terabyte.
The amount of work has led most organizations not to address the problem at all, and no tools have existed on the market to manage the problem.