Personal data and its protection is a key feature of the new GDPR. This includes clear limitations on is collection, storage and use being outlined in law, but also requires disclosure of data breaches, for which a high financial penalty may be applied. Our research has demonstrated that the accumulation and failure to delete digital data is very common, and lack of individual and organisational awareness of exactly what data is being held, may lead to inadvertent lack of compliance with GDPR, and also have cybersecurity implications. In this project we aim to measure the extent of digital accumulation of personal data, and interview stakeholder employees and management to assess the extent of this issue, and how effective are current organizational attempts to address employee understanding and compliance. We also aim to gain insight into developing intervention strategies to encourage employees to think more carefully about email deletion, especially in relation to personal data.