I don't think there's a requirement that HN has to keep delete personal data that they don't need, and FYI the Hacker News privacy policy they publish[1] argue they don't have to do it if they don't want to:
You agree that any termination of your access to the Site under any provision of this Terms of Use may be effected without prior notice, and acknowledge and agree that Y Combinator may (but has obligation to) immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Site.
so we're really out on a limb here anyway. But let's assume that HN is GDPR compliant, and say that they delete all personal data after 10 years and on request, etc... Are they then required to keep that data for ten years?
My guess is not. The ICO suggests[2] repeatedly that you not keep data any longer than is necessary, and that you repeatedly review whether it is necessary.
The ICO also says[3]:
However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request
which makes it sound like it's acceptable, except:
it is not acceptable to amend or delete the data if you would not otherwise have done so.
which then suggests that HN only needs to have policy that they delete personal data whenever if it is identified for export. If I were HN, and I actually wanted to do this (however), I would probably call the ICO to confirm.
The text calls out "routine use" - this clause is to permit, e.g. the last access date on the account to be the date of access to the GDPR export request portal (deleting the prior value).
The point of GDPR is to force companies to explain the data they retain and show it to users on request. Setting up a scheme where data is retained but is never available to users for export is a great example of acting in "bad faith" that is likely to increase the possibility that a judge will make an example out of you.
I don't think there's a requirement that HN has to keep delete personal data that they don't need, and FYI the Hacker News privacy policy they publish[1] argue they don't have to do it if they don't want to:
You agree that any termination of your access to the Site under any provision of this Terms of Use may be effected without prior notice, and acknowledge and agree that Y Combinator may (but has obligation to) immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Site.
so we're really out on a limb here anyway. But let's assume that HN is GDPR compliant, and say that they delete all personal data after 10 years and on request, etc... Are they then required to keep that data for ten years?
My guess is not. The ICO suggests[2] repeatedly that you not keep data any longer than is necessary, and that you repeatedly review whether it is necessary.
The ICO also says[3]:
However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request
which makes it sound like it's acceptable, except:
it is not acceptable to amend or delete the data if you would not otherwise have done so.
which then suggests that HN only needs to have policy that they delete personal data whenever if it is identified for export. If I were HN, and I actually wanted to do this (however), I would probably call the ICO to confirm.
[1]: http://www.ycombinator.com/legal/
[2]: https://ico.org.uk/for-organisations/guide-to-data-protectio...
[3]: https://ico.org.uk/for-organisations/guide-to-data-protectio...