With GDPR imminent it is worth describing the systems that we have put in place for our customers on the TERMS MIS. This is a basic guidance for the sorts of changes that will be required for data compliance under GDPR.
The first thing that you must think about is that you cannot hold data without justification. If you have a customer that you have not dealt with for several years then you do not have an legitimate reason for keeping their data unless there is a legal or contractual obligation.
If you keep a simple contact list then you need to know the date you last interacted with that contact and remove older records. This includes mailing lists and you ought to make sure that people are still happy to be on your mailing/contact list. This approach has to be by them deliberately opting into your service, you cannot keep them on your lists if they simply to not reply to an option to be removed.
In effect you must as everyone’s permission to retain their details unless you have a legal basis to bypass this question.
For data this means removing old records and any associated information, especially information that may help to identify a person. The data may be internal to the company, such as old staff records, or it may be commercial.
Data cleaning can be a long process and it is easy to accidentally miss storage of personal data. For example, backups will have old records and these need to be accessed.
Once you have removed all of your old data you need to have processes in place that will allow people to select how they wish to be contacted. Your services may have implicit contact options – e.g. online sales using email – but all options needs to be monitored for individuals. Again, there may be legal or contractual requirements that allow you to contact people by specific means, but you need to be sure about these methods under GDPR.
If you have not produced a Privacy Notice for your web site then you need to either create one or have one created for you. The Privacy Notice is a legal requirement and details how you will use personal information.