We have an engagement letter which covers GDPR, approved by the director. A 50% shareholder (husband of director and other 50% shareholder) has advised us that:
a) he does not want us to use an online document storage system (in this case Iris OpenSpace, but could be any) for shareholder accounts and other shareholder documents because he considers them unsafe. He wants us to use password protected attachments, which is fine, but means we have to spend time and use a system we would not use ordinarily.
b) he wants us to remove any personal details from our systems and to receive a confirmation that his 'right to be forgotten' has been taken care of. In the case of accounts our database would have him recorded as a shareholder and would have information about him that would be on public record at Companies House. However, we also process the payroll for the company and if we remove his details from the payroll we will be unable to process his pay!
What is the GDPR position? Do we need to get consent from every shareholder and every employee? If so, it is ridiculous because a) it will take up an enormous amount of resources and I doubt whether clients will be willing to pay and b) we will spend our time chasing people to give consent before we can process company forms such as Confirmation Statements, etc and employee payrolls.