For how long do you store personal information? How do you know when personal information is older than this? How do you ensure that older personal information is deleted? Is it sufficient? If required to demonstrate compliance, how would you do it?
