bignosePersonal data on users of a service, is dangerous like toxic waste.
It's not an asset, it's a liability, to be minimised and disposed of where no one can ever access it.
Hold onto it long enough, it *will* cause a disaster that spills far beyond your organisation. The more of it you hold, the longer you hold it, the worse that is.
Ideally: Never collect personal data. Practically: Collect only what *truly is necessary* for the function, and destroy it *as soon as you can*. Stop trying to extract "value" from it.
https://craphound.com/articles/2020/03/18/data-is-the-new-toxic-waste/