One of the topics that seems to be creating the most discussion is what is the expectation when it comes to managing Outlook contacts in relation to GDPR? As this excellent post indicates the level of risk in relation to holding contacts that most professionals have gathered over the years is very low and in fact there may not even be a compliance issue at all. However that doesn't stop those working with CRM systems having to worry about it. I am working with a firm at the moment where Risk are seriously considering deleting all Outlook contacts and severing the link between Outlook and CRM. One of the challenges with the GDPR legislation is balancing a strict adherence to the legislation with a pinch of "practical business salt" and common sense. Cleaning out old contacts is quite honestly just good practice, maintaining the details of your nanny or dentist should be something that you do in your phone not in your firm's business systems and users should access business contacts directly from the CRM system and do-away with all the messy Outlook sync (which anyone in IT or CRM will tell you is a total pain in the proverbial anyway). But we don't live in that world. The ICO want to ensure that businesses take care of their clients' and contacts' personal data, they don't want to slap fines on firms who are putting processes in place and minimising risk but may not have sought consent from every single person on whom they hold data. As we are now less than 100 days before GDPR comes into force, it seems increasingly that firms are recognising that the greatest risk to their business with GDPR is a knee-jerk reaction which limits their ability to manage their business effectively and practically.
Most people in business will have accumulated large contact lists in Outlook email systems or similar, containing many names and other contact details built up over a number of years. Will the GDPR really require that data to be reviewed or deleted or specific consent for it to be obtained? Or what remedy, if it were later found that this data were not validly held?