In summary it means:

• You should not keep anyone’s personal data longer than is reasonable
• You should know how you acquired that data
• You should know what data is stored where, how to get to it and how to delete it
• All your staff should know about it

You need to be ready for a “GDPR Subject Access Request” – that’s when someone asks you what data you have on them; you need to be able to show them exactly what you have. If they ask for you to remove it, you should be able to, and you should have a procedure in place on how to do it, of which all your staff are aware.

We have had meetings with specialist travel lawyers about GDPR and so have a good idea of what’s involved. It’s actually not as bad as it sounds.