> You only keep what you need for the time that you need it
Just to add that it's stricter than that - you can only keep the data that is required for the purpose that you detailed to the customer. e.g. If you ask for their email address for password validation, then you're not allowed to use that email for other communication unless you explicitly asked for that as well.
I completely agree, GDPR is definitely a more detailed ruleset than what I outlined, but from a data management superset perspective you would have the mechanisms and facilities to deal with the GDPR-specific rules anyway.
I've found that this is mostly a problem in organisations where data isn't managed, the government doesn't protect the people, or where some vague value is assigned to the data (so it does get stored, but when it leaks it is supposed to not have value and therefore do no damage). So looking at it from an "you will be managing it anyway" angle has worked well for me when trying to activate teams/units/orgs.
Just to add that it's stricter than that - you can only keep the data that is required for the purpose that you detailed to the customer. e.g. If you ask for their email address for password validation, then you're not allowed to use that email for other communication unless you explicitly asked for that as well.