Even if you have a lawful basis for collecting data, in theory the GDPR is in theory restricting you to only use it for that basis, delete it as soon as you don't need it anymore, have a plan on how to store and handle it, and requires you to follow best practices when doing so. Backups, encryption, regularly testing the technical and organizational measures that protect the data are in theory all mandated. Also, on the topic of this post, notification of data breaches when they occur

But enforcement is just laughable. Even on easy to observe issues like which data is collected