Should be as simple as this. You need a licence to hold personal data. It can be revoked. If it IS revoked, you need to delete the personal data as you are no longer considered fit to hold it.
Not really that complex. Of course anyone relying on data from someone who didn't have a licence to hold it would be on VERY Dodgy ground, legally.
Which would basically screw their business model completely. Which is what they deserve for this.