Microsoft will start honoring p=reject DMARC policies for incoming email which does not pass a DMARC check when the associated DMARC record designates a policy of p=reject. This affects inbound messages at Microsoft Outlook email addresses, Microsoft Hotmail email addresses, Microsoft Live email addresses, and MSN email addresses.
Not confirming email addresses can put your customer in physical danger, and can cause you legal liability if they are harmed. We've written before about how not confirming email addresses can potentially create real-world, real legal liability, because in certain settings, and particulately in ecommerce, it can actually lead to your customer suffering physical harm; maybe even death.
You may be wondering whether GDPR governs the handling of personal data which you collected before GDPR went into effect on May 25, 2018. The answer is both 'yes' and 'no', but mostly yes. It's also important to know that the UK incorporated the EU GDPR into UK law after Brexit, so you are still required to comply with the rules of GDPR if you are in the UK. In fact, the UK ICO (Information Commissioner's Office) says quite explicitly that "The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR."