[rodgerd]

It's where being able to have strong guarantees about how customer data is being used becomes critical.

I'm required to keep evidence about your KYC information and your financial transactions for compliance purposes for (e.g.) 7 years after you stop doing business with me. If I'm using them for that purpose I'd be in the clear GDPR-wise.

However, the day I break off doing business with you I need to stop using them for marketing or sales leads - that would be a GDPR breach.

Where I suspect it will get very messy for companies is the sexy new "hoover all the data into ML models" is going to come a GDPR cropper because I doubt most of the people doing it can show that they purged it when their relationship with the data owner ended, if they even had one in the first place. They're sure as fuck violating copyrights all over the place.