I’m wondering if you can help me settle an in-office ‘discussion’ around GDPR and whether we can keep a list of people who we are our target market but who we don’t actually have any contactable data (email, phone, etc) for. We will have their name and place of work (and maybe position) but won’t be contacting them via our database unless they contacted us and shared their crucial details. Essentially, we’re keeping them as a wish list.
If you can identify an individual person in any way from information you store about them, regardless of whether you contact that person or not, then I believe the new GDPR laws will still apply. Here in the UK, the Information Commissioner’s Office (ICO) have powers to enter companies and search computers and servers for precisely this type of data – as we all saw when they went into Cambridge Analytica recently. I hope that helps your discussion.