The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located.
Organizations need to change their internal processes and IT infrastructure in order to match the harsh demands coming from this new regulation. They need to protect personal data using appropriate security, notify authorities of personal data breaches, obtain appropriate consents for processing data, keep records detailing data processing, provide clear notice of data collection, outline processing purposes and use cases, define data retention and deletion policies, train privacy personnel & employees, audit and update data policies, employ Data Protection Officers (if required). Changes are very complex and if not implemented companies risk fines up to 20 million EURs or 4% of their turnover, whichever is HIGHER.
Marketing practices will be directly affected – companies will not be able to simply collect data via cookies without informing the users first about what they will do with their data, customers will be able to require companies to adjust or remove their personal data at any time etc. Data collection will be also challenging, as companies must provide users with the following further information to ensure fair and transparent processing: the period of time that the data will be stored, the right to rectification, erasure, restriction, objection, the right to withdraw consent at any time, the right to lodge a complaint with a supervisory authority, the consequences of the users’ failure to provide data AND the existence of automated decision-making, including profiling, as well as the anticipated consequences for the users.
I can help companies review their current practices, review their data collection and data storing processes, review their marketing practices and recommend the minimum necessary changes to ensure compliance.