GDPR practical summary (credit to Matt Richeson Facebook). I thought it'd be useful to post it seperately. Customers have the right to request corrections to data, so you may need the ability to amend and correct pdf's Customers may request that you delete their data, and unless you have legitimate, legal or contractual basis for keeping their information, then you have to. If someone contacts you wanting to know what information you have about them on file, you have 30 days to provide this back to them in an electronically portable medium (pdf is fine). You cannot charge them for this. Email is a database, as are contacts lists and phone address books, so you will have a reasonable duty to keep those up to date and sanitised if people do not wish you to contact them. GDPR covers paper media, so if you keep paper files, then they need to be filed securely and destroyed as well. Throwing a customers details in the bin rather than shredding them is technically a data breach, and ought to be reported to the ICO If your PC (or backup drive / memory stick) gets lost / hacked / stolen you will still have 72 hours to inform the ICO and take measures to inform customers that their data may have been compromised.