This is an interesting approach –
“At least one company is looking to remove as much risk as possible. According to Wired, Wetherspoon has simply deleted all of the email addresses from their marketing database. Instead, the company plans on marketing via social media channels, including its Facebook and Twitter accounts, as well as its corporate website. Wetherspoon is doing this to help prevent heavy fines that range from either 2%-4% of gross revenue or 10,000,000 EUR to 20,000,000 EUR, depending on which penalty is higher. Enforcement will go into effect in May of 2018.”
It’s not just good strategy for avoiding any problems with the EU rules, it’s also pretty smart anti-hacking strategy. Data you don’t have can’t be breached. So what do we have to do to make the penalty for having your data breached enough that companies will consider just not keeping it?