The reason I'm asking is how long should we keep emails and payment details for sales?
At a glance | Your data rights
The General Data Protection Regulation (GDPR) is a tough regulation regime for companies that gather personal data, introduced by the EU in April 2016. Enforcement begins 25 May 2018.
The GDPR legislates eight data rights for individuals:
- Right to be informed – You must be clearly informed when your data is collected and the purpose for which it is intended.
- Right of access – You must be allowed to view the data companies have gathered on you.
- Right to rectification – You have the right to correct erroneous information about yourself in a company’s data records.
- Right of erasure – Also known as the “right to be forgotten”. You have the right to request the deletion of personal data held on you, although this right is not absolute.
- Right to restrict processing – You can request the suppression of your personal data file, or restrict its processing.
- Right to data portability – You have the right to take the data a company has collected on you and share it elsewhere, eg. to get a better customer deal.
- Right to object – You have the right to object and prevent your data being used for particular purposes, eg. for direct marketing. This right is superseded by legal claims.
- Rights related to automatic decision-making – You may only be profiled with your explicit consent, where this is necessary to enter into a contract or where such processing is authorised by the state.
Post-Brexit the UK is likely to introduce its own equivalent data protection law. In any case, companies which gather data on EU citizens will have to abide by the GDPR.