Article 5.1.d requires personal data to be accurate. In fact, "...every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay."
The requirement is therefore that inaccurate personal data must either be rectified or erased "without delay."
This is a GDPR requirement that has a specific data governance slant. To determine whether all of the data of an EU natural person are accurate:
- All personal data in the organization's databases should be classified as such. The benefit of this is that it not only facilitates the accuracy requirement, but it also facilitates determining the nature of the breach response.
- All data classified as personal should be be profiled using the accuracy rules relevant to the specific data container.
There are off-the-shelf data governance tools to perform data profiling, but they tend to be expensive. We do however have alternatives for this in organizations that don't have the budget (or the time right now) to procure data governance tools.