The compliance challenges presented by GDPR will be significant for new companies setting up the rules and boundaries for their data collection and storage. It is more than significant for existing companies sitting on massive databases of existing records, many with records divided among divisions, units, brands, partners and vendors.
For companies already holding personal data on EU citizens, the choices are clear. They could, in theory, destroy everything and start fresh. None will do this for obvious and insurmountable reasons. That leaves them with virtually no choice. They must locate and map all relevant data and data sources in order to plan next steps.
Having mapped their data inventory and systems, these companies should remove or destroy irrelevant or expired data. An example of expired data would be customer records obtained through a prior, now defunct, relationship with a vendor or partner. Knowing that GDPR calls for specific and limited use of data, the dissolution of the original reason for data capture renders the data useless. Therefore, it should be destroyed.
Data that is destroyed due to expiration of use have no responsibility to make consumers aware of the action. In fact, they can reasonably assume that they are meeting the consumer’s new, GDPR-influenced expectations. In instances of requests to be forgotten, companies must prove complete erasure of personal data, likely within 30 days of the request.
With full implementation scheduled for May 2018, companies with existing records of EU citizens must begin their mapping and risk mitigation efforts now. Laggards will face a difficult choice – face the risk of massive fines or erase all data as a last-ditch preventative measure.