In response to our invitation to contact us with GDPR enquiries, one kind reader has bowled us this particular googlie:
Most people in business will have accumulated large contact lists in Outlook email systems or similar, containing many names and other contact details built up over a number of years. Will the GDPR really require that data to be reviewed or deleted or specific consent for it to be obtained? Or what remedy, if it were later found that this data were not validly held?
Using this personal data for proper business or business development purposes post May 2018 without new specific consent should not be a problem. Challenges to the validity of consent given as part of the employment contract (i.e. that it is essentially provided under duress and hence void) will not apply to consent out with that contract. No-one in your Outlook list had to give you their details as a condition of getting or keeping their job. For practical purposes, therefore, we would say that you could rely on the fact that the information was provided to you willingly and in many cases in the specific expectation of further business-related contact.
However, most Outlook lists contain details of people you can no longer recall and have no intention of speaking to again. It might therefore be said that you are retaining their data without legitimate reason, and therefore that you should either obtain their consent to your holding it (merely storing data is processing it for GDPR purposes) or to delete it. Clearly this is the ideal, but it is very unlikely that this would be required in practice. This is partly because it would be totally impracticable to seek consent or to police that obligation, but primarily because the mere holding of data causes no risk to the individual who gave it to you. It is only when you start to do something with it that any realistic exposure might arise. Giving those contact details to cold-call organisations, double-glazing salesmen, debt collectors or vengeful exes, for example, would clearly expose you to a claim.
The people whose data you hold in Outlook are entitled to treat you as a data processor and therefore to ask you to update, correct or delete it as they wish. In the very unlikely event that some passing acquaintance from years ago contacts you with a demand for their data to be deleted and for them to be “forgotten” (legally, as opposed to actually, which you perhaps did within hours of meeting them), that is a legitimate requirement. If you do not comply then that is again potentially the subject of a claim or complaint to the ICO. In practical terms, however, you would expect that to come only from your subsequent use of personal data which you have been asked to delete, rather than from the failure to erase by itself.
Penalties for the inadvertent holding in Outlook of personal data of this sort are unlikely to be material, certainly if any enforcement notice from the ICO is complied with when received. If you make use of that personal data improperly then the GDPR will provide a right to compensation, but it is hard to think that this will be at any materially different level from the compensation awardable under other parts of the law (e.g. discrimination) where distress or inconvenience is caused. Batting off telesales people is irritating for the person whose data you gave away improperly and so might feature at the very bottom end of the injured feelings scale, but physical injuries caused by that ex would be a very different financial proposition altogether. Serial offenders may face larger fines but in this sort of area you are miles away from the €20m/4% of global turnover penalties featured in the headlines.