By Bassim Alkhafaji, Partner at Andra Capital
The General Data Protection Regulation (GDPR) is the European Union’s personal data protection regulations, with sets of guiding principles and personal data rights. These include forward-looking regulations setting the landscape of how personal data gets collected, processed, analyzed, stored, retained, monetized, and accessed by any organization that collects data in the EU. Its goal is the protection of individual privacy. As the European Commission puts it, “It’s your data—take control”
Consumers will see impacts on the way they interact in almost every aspect of their daily activities and interactions, direct or indirect, on social media, internet communications, e-commerce, retailers, banks, governments, and professional and educational institutions — just to name a few. The biggest impacts GDPR will bring to consumers are consent to provide their personal data, awareness that their data is captured, and the option to opt-out from certain data collection techniques and processes.
Various institutions, organizations and corporations have started implementing compliance processes – including email notifications, cookies acknowledgements, form consents, updated terms and conditions, updated marketing opt-ins, consent to remove all previously collected data – to engage consumers in their rights to manage and govern their data. These measures will also provide consumers with transparency in the notifications process of what data is, was and will be collected, as well as an option to opt-in or out of retaining any previously provided personal data such as emails, phone numbers, addresses, etc.
Consumers engaged with online retail and e-commerce activities will be faced with changing regulations on their online selling activities. Specifically, there will be regulations on how they collect and manage customer data, whether they are operating their own portals and data collectors or using B2B and B2C e-commerce websites like Alibaba, Amazon, EBay, Shopify, etc. Most importantly, consumers conducting e-commerce across national borders must abide by the GDPR’s Transfers of Personal Data to Third Countries or International Organizations policy, outlined in Articles 44-50.
Among GDPR’s most difficult provisions is the data breach notifications provision: specifically, its enforcement claims and penalties in operating automated data collection mechanisms such as product labeling, RFID scanners and credit card scanners. Retailers will also need to determine if the collected data is being processed by independent data processing and collectors (contractors and subcontractors). This falls under the Data Protection Directive Act of 1995, which was modified for inclusion in GDPR under Controller and Processors (Articles 24-43).
GDPR is an evolving compliance process that will be adjusted as its impact across the globe unfolds over the coming months — indeed, it is a marathon, not a sprint.
About the Author
Bassim Alkhafaji, CEO of Andra Capital, has an impressive information technology track record as an accomplished CTO, CIO, and CISO, spanning a long career spent in world premier financial institutions, servicing asset management and investment banking. He also has a track record of building financial trading applications and managing global enterprise applications integration in distributed enterprise computing environments. Previously, he led efforts to create and incubate several hedge funds and alternative investments platforms. He is passionate about overseeing trending technologies across blockchain, fintech, and regtech (regulatory technology).