With the rise of fake news, Facebook fallouts and privacy breaches (looking at you Equifax), data privacy has quickly transformed from an often overlooked afterthought to one of the fastest growing controversies of the past decade. 

To combat growing privacy concerns, the European Union introduced a new piece of legislation (GDPR) that mandates how companies collect data, and those regulations comes with hefty penalties if broken. To highlight the seriousness of GDPR guidelines, fines can reach up to four percent of a company’s global revenue. To put that in perspective, a four percent fine on Amazon would be $7 billion.  

Although not required by US law at this time, the below guidelines are a great place to start for anyone, especially those collecting and using customer data: 

  • Have clear written documentation that you’re collecting a user’s data. Per GDPR, it must be “freely given, specific, informed and unambiguous.”
    • If you have a current privacy policy on your site, make data collection policies clear. 
    • If you don’t have a privacy policy on your site – create one. 
  • Collected data needs to be truly required data for your business need (think email address and name – not religion or race). 
  • Remain clear as to how long the data will be stored and how that data will be used.
    • After expired time, make sure you have processes in which this data is removed from your data warehouse. 
  • Do not share and/or sell data to an outside third party. 
    • If there’s a security breach with any data, all users need to be notified
  • GDPR regulations state this needs to happen in 72 hours.