I'd be inclined to save the files I really did have a case for saving, and trash the rest. I mean, it's not burningly urgent - but if you do get a GDPR redaction request, they'd definitely count as databases containing personal data. So at least make sure they're on your ever-expanding list of things you need to keep in mind.
That SAAFE policy looks awesome, actually. Nobody knows if "30 days" for sysadmin and security purposes will be 100% legally robust - but it seems to be turning into a reasonable best practice, as far as I can tell.
In the threat model of a GDPR legal battle with a querulous so-and-so, good faith in all other practices concerning personal data will definitely get you a lot of points, and that SAAFE policy is about as safe as it can get - "we actively don't want your personal data except for functionality purposes."
no subject
That SAAFE policy looks awesome, actually. Nobody knows if "30 days" for sysadmin and security purposes will be 100% legally robust - but it seems to be turning into a reasonable best practice, as far as I can tell.
In the threat model of a GDPR legal battle with a querulous so-and-so, good faith in all other practices concerning personal data will definitely get you a lot of points, and that SAAFE policy is about as safe as it can get - "we actively don't want your personal data except for functionality purposes."