It is your responsibility to secure the customer’s data once you have it. If you have a data breach and your customer’s data is stolen, the ICO can hit you with a hefty fine. So make sure you password protect or encrypt your files and or emails to keep the data safe. Do not let anyone else have access to data that they shouldn’t have.
Subject Access Request
If you receive contact from a customer asking why they are receiving marketing from you, it is your responsibility to advise them how you obtained their data, and why they are receiving it, in most cases it may be a perfectly reasonable reason why they have received a mailshot, but you must advise them within 30 days of their request, failure to do so could result in the Data Subject taking you to a small claims court.
Right to be forgotten
If a Data Subject asks you to be forgotten or removed from your database you must adhere to this request, if you do not and they receive further marketing from you then once again you could end up with a fine or a claim made against you.
I’m still confused by it all
Don’t worry, it is a lot to take in but if you are still unsure about GDPR then please take the time to read the ICO’s website HERE there is a lot of useful information especially under the ‘guides to legislation’ section. The ICO is there to guide you, so if you have any questions please do not hesitate to contact them directly.