Towards better data processing, driven by the Data Protection Regulation
The new EU data protection regulation forces companies to review their processes and tools for processing personal data and to document their practices. As the use of big data in business is here to stay, collecting and processing data in the right way will ensure a good basis for customer-centric business development. A customer-centric, transparent and mutually beneficial data management framework is an investment that pays for itself.
The practical application of the requirements of the Data Protection Regulation is one of the concerns raised by our customers. In the absence of clear guidance, companies are having to create it themselves at this stage. We have summarised our views on the practical technical implications of the Regulation for most websites as follows:
1) Most websites have data collection forms. From the perspective of the new data protection legislation, this means that in the future the collection and use of data must have a documented authorisation. This means that if you use a form to collect data for marketing purposes, for example, you must have clear permission from the person who filled in the form. Separate consents are needed for different types of uses, one generic "you can do whatever you want with my data" consent is not enough.
Implications: updating forms to document consents/prohibitions; creating a database of consents.
2) Various types of personalised cookies are also commonly used and cannot be used in a different way from other data collection. The different types of cookies (analytics, user experience cookies, marketing cookies...) must be distinguished and their use must be subject to separate consent. As with other types of consent, the data subject must always be able to withdraw his/her consent, which in turn requires technical solutions to manage the data.
Implications: functionality to allow/deny the use of different types of cookies; database for data storage.
3) The data collection, management and use practices must be documented, and the subject of the collection must be given access to a record of the case. Since the data subject also always has the right to know what information is stored about him/her, to correct it and, if he/she so wishes, to have it deleted, the record must also show how these measures can be easily implemented.
Impact: technical implementation and presentation of the record description; solutions for managing customer contacts.
The above list is not exhaustive, and technical protection of data, for example, must always be taken into account in all processes. Each company should look at the processing of personal data from the perspective of its own business to determine the necessary measures. Practices will vary, and so will the technical solutions that need to be put in place to support these processes.
Guest pen