Read also: The hackers used the membership list as a shopping list
When the French shooting federation was hacked in October 2025, the system contained data on one million individuals. However, only 250,000 of them were active members with a valid license. The rest — 750,000 — were former members who had quit months or years ago.
GDPR Article 5(1)(e) states that personal data should not be kept for longer than is necessary for the purpose. When a member lets their license expire and does not renew, there is rarely a reason to keep the data. Had the association deleted the inactive, three out of four would never have been exposed.
It's not just about shooting clubs. Sports clubs with children's social security numbers. Patient associations with health information. Trade unions with employer data. Most Norwegian associations have a member register that grows, but never shrinks.
**Practical point:**
Open the membership register and filter by last paid dues. For anyone who hasn't been active for two years or more - do you need their information? Define a retention period for member data in the association and set an annual reminder for cleanup.
Inspired by: French Shooting Federation