Any enterprise that deals with the personal data of any citizens from the EU member states will be aware of the upcoming General Data Protection Regulation, set to take effect in May of 2018. The GDPR requires companies that collect personal information to be compliant by the time the regulation becomes enforceable, which means new levels of security, transparency, and data management. In this article, we’ll take a closer look at what sort of compliance is expected from digital enterprises.
The GDPR requires that any company, whether in the EU or not, that collects, stores, and/or processes the personal data of EU citizens must obtain active consent for the collection of any such information. Furthermore, each company must clearly state their purpose in collecting and using personal data.
By extension, a company will no longer be able to retain personal information simply by virtue of having collected it; according to the GDPR, there must be a clear and ongoing use for it, or else the data must be discarded.
Regardless of the method used to collect or process personal data, each individual must first be notified of the business’s intention of doing so and given an opportunity to opt out. For a company that uses one-to-one communication channels (like Facebook Messenger or Skype) they must still obtain this consent—even if there has been communication with that individual in the past.
Here are just a few of the requirements of the GDPR. In the spirit of transparency, an enterprise must:
- Reveal to each individual what data they have about them
- Where that data will be stored
- Who will be processing it
- How the information will be used
- How long it will be stored
- If it will be transferred outside of the EU
As a simple example, imagine you are a consumer buying household goods from an independent digital retailer. The retailer will be required to inform you of the payment gateway provider processing their payments, and how your information (such as your name, address, credit card number, email, etc.) will be stored—as well as for how long it will be stored.
In the past, some companies have collected certain information, like shopping tendencies or browsing history, to sell to third parties for targeted advertising. Under the GDPR, an enterprise must obtain specific, unambiguous consent from users before they can share or sell any data. And again, the same requirements apply—individuals must be informed of who will receive the data, how long it will be stored, how it will be processed, etc.