In summary it means:
- You should not keep anyone’s personal data longer than is reasonable
- You should know how you acquired that data
- You should know what data is stored where, how to get to it and how to delete it
- All your staff should know about it
You need to be ready for a “GDPR Subject Access Request” – that’s when someone asks you what data you have on them; you need to be able to show them exactly what you have. If they ask for you to remove it, you should be able to, and you should have a procedure in place on how to do it, of which all your staff are aware.
We have had meetings with specialist travel lawyers about GDPR and so have a good idea of what’s involved. It’s actually not as bad as it sounds.