The cost to companies in not applying new GDPR regulations, due to come into force in 2018, will be potentially massive, but when reviewing GDPR don't forget to factor in the right to be forgotten.
New GDPR rules don't give all subjects of data carte blanche to have their details removed from a website, but there are circumstances when they do have the right to have their details erased - otherwise known as the right to be forgotten.
For one thing, subjects of data can insist on having their data removed when the controller of the data failed to comply with the GDPR regulations.
Secondly, if the data no longer serves its original purpose, and no new lawful purpose exists.
Thirdly, if the subject of data gives consent for the use of data and this consent provides the legal basis for the data being processed, and this consent is withdrawn.
Fourthly, if the subject of the data objects and there is no overriding grounds for continuing with data.
Fifthly, the data was processed unlawfully.
And finally, if erasure is necessary for either EU Law or the law of a member state.