en
en

Dormant Data: The Hidden GDPR Risk in Your Files

Your files store personal data nobody monitors. ROT data, GDPR Article 5 storage limitation: how to regain control in 48 hours.

4/28/20264 min read

Ungoverned isolated data — Dormant data GDPR
Ungoverned isolated data — Dormant data GDPR

Your NAS has been storing project folders since 2018. Your shared server contains HR files from former employees who left five years ago. Your SharePoint archives commercial proposals with contact details for hundreds of prospects from tenders you never won.

Nobody consults them. Nobody knows exactly what they contain. Yet each of these files represents a potential GDPR violation — and a real attack surface in the event of an incident.

This phenomenon has a name: dormant data. For SMBs, it is the most widespread and least visible compliance risk.

Files: The Core of SMB Data Assets

Before addressing the risk, it is worth understanding where an SMB's data actually lives.

Structured databases — ERP, CRM, business tools — are visible, administered, and backed up. They receive regular IT attention. Cloud storage is growing, with SharePoint and OneDrive hosting an increasing volume of shared documents.

But the bulk of the data asset remains in files. Unstructured data — files, documents, emails, exports — represents the vast majority of data generated by organizations today, and continues to outpace structured data growth by a wide margin (IDC, Global DataSphere).

For an SMB, this translates concretely into: NAS servers loaded with decade-old archives, local workstations containing folders from departed employees, CSV exports generated for a one-off project and never deleted, PDF contracts that expired years ago stored "just in case."

This is where the problem begins. These files are not governed. They are not inventoried. And they often contain personal data that nobody suspects is there.

What GDPR Requires: The Principle of Storage Limitation

Article 5, paragraph 1, point (e) of the GDPR is explicit: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

The rule is simple in principle: when the purpose that justified collection has disappeared, the data must be deleted or anonymized. A candidate file from six years ago no longer has an active purpose. An export created for a closed project does not either. Retaining them without documented justification is a breach of Article 5(1)(e) — not a grey area, a legal obligation.

European data protection authorities have consistently enforced this principle, issuing significant sanctions against organizations that could not demonstrate a legitimate purpose for retained personal data — fines reaching into the tens of millions of euros. In 2026, enforcement is intensifying. The message is unambiguous: the absence of a documented retention policy is a real risk, not a theoretical one.

ROT Data: When Your Files Become a Liability

In data governance, this accumulation phenomenon has a precise name: ROT data — Redundant, Obsolete, Trivial. Data that once served a purpose but continues to pile up without anyone taking responsibility for it.

Three concrete categories in an SMB:

  • Redundant — the same client file saved in three different locations: the NAS, SharePoint, and the local workstation of a sales rep who left two years ago. Three copies, three exposure surfaces.

  • Obsolete — expired supplier contracts from five years ago kept "for reference" in a shared folder with overly broad access permissions. Or former employee HR records retained beyond the periods recommended by data protection authorities.

  • Trivial — temporary files, drafts, test exports created during a project. Yet they often contain real data — names, email addresses, sometimes national ID numbers extracted for a one-off verification.


These files share one characteristic: they exist outside any governance framework. They are not in your records of processing activities. Your DPO does not know they exist. And in the event of a regulatory inspection or a security incident, their presence is an aggravating factor.

The Double Risk: Compliance and Security

Dormant data simultaneously creates two types of risk.

Regulatory risk. In the event of a GDPR audit, the absence of an applicable and documented retention policy constitutes a breach of the accountability obligation under Article 5(2). An application file from 2019 still sitting on your server is not a forgivable oversight — it is a documented infringement.

Security risk. Incidents involving data exfiltration have risen sharply in recent years, according to ANSSI and ENISA threat landscape reports. The dominant modern ransomware technique — double extortion — involves exfiltrating data before encrypting it. What attackers take is everything that is stored: including dormant files from years ago that nobody remembered.

And this is where the problem closes on itself. In the event of exfiltration, you must notify your supervisory authority within 72 hours (GDPR Article 33), specifying the nature and volume of personal data involved. Without an inventory, you cannot draft that notification accurately. And failure to notify within the deadline is itself an additional infringement.

Why Cloud-Only Tools Are Not Enough

A common misconception is that migrating to the cloud solves the problem. It moves it.

Cloud governance tools monitor what is in SharePoint, OneDrive, or cloud storage. They do not see the files on the NAS in the regional office. They do not see the archives on the legacy Windows server still in production. They do not see the local workstations of field teams.

Yet this is precisely where ROT data has been accumulating for years. Cloud storage grows — but it adds to local files, it does not replace them. A compliance strategy that ignores local files ignores the bulk of the risk. Both axes must be covered.

What APOLLO Data Auditor Enables

APOLLO Data Auditor addresses exactly this problem. Its local agent scans all files — NAS, Windows and Linux servers, network shares, local workstations, OneDrive and SharePoint cloud — and produces a complete inventory of detected personal data. This scan feeds four dimensions of analysis: GDPR and CCPA financial exposure in euros and dollars, compliance scoring by article, protection posture and resilience, and data maturity and value.

Not a declaration — a scan. Not an estimate — a measurement on actual data.

Deployable in 48 hours, without modifying your infrastructure, without a dedicated team.

contact@aiia-tech.com

© 2026 aiia-tech.com | Framework APOLLO™ - Protected Methodology.