Understanding GDPR Law
To understand the importance of data security, you will need to understand what GDPR is and why it's important that your stored data is compliant with it.
General Data Protection Regulation was introduced in 2016 and became enforceable in 2018. It falls under the jurisdiction of human rights law and privacy law, and it's regulated all over the EU and EEA (including the UK).
GDPR specifies that to be authorised to hold someone's personal information (any information pertaining to them – the 'data subject'), they must have given consent to your business. To do this, the data subject must have clearly stated and freely given authorisation for your business to hold their data for the purposes you stated.
A lot of businesses will present customers with a GDPR authorisation as they make their purchase online – often in the form of a 'sign up to hear more from us' option that asks them to agree to a privacy policy, giving the business the right to contact them using the data they give.
The data subject can request their information back from a business in the form of a 'subject access request' (SAR) at any time, so you must have all of their information appropriately stored so it can be found and returned.