Written by Tomas Honzak |
GDPR requires limiting data collection to legitimate reasons
Plain and simple, at its core, GDPR prohibits the collection of personal data unless there’s a legitimate business reason for it. Let's look at an example of data that are commonly collected and at some different scenarios to see where there’s a legitimate business case for it.
Let’s say I want to buy wine from an online merchant, and I’m asked to provide my date of birth before I can complete my purchase. In this case, there is obviously a legitimate, legal reason for the wine merchant to collect this data, and if they only use the data to validate my age, then they are fully compliant with GDPR. However, they may want to use my birthday so that they can send me a discount offer a week beforehand, or maybe send targeted offers for large volumes of cheap wine ahead of a student’s 25th birthday or for a special discount on a 50-year-old bottle of Martell cognac for someone turning the same age. In these cases, the merchant would need to ask for permission—or, in GDPR terms, a consent—before they start doing so. Again, the consent needs to be presented in a way that is clear and easy to understand, not hidden behind legalese.
What if they want to use the age information to analyze my spending habits? This is where GDPR does not have a clear and straightforward answer, so companies may need to do a privacy impact assessment. Collecting information on age can clearly help this merchant’s business by improving their stock management based on their customers' age. Does it bring any disadvantage for me as an individual whose birthday they have collected? Probably not. But do they need to collect my full birthday? I would argue that just my year of birth, or even more vague “age group” would suffice. This still helps them improve their stock prediction, but it minimizes the risk for me as their customer in case of a data breach. And that is exactly how GDPR envisions companies would approach the collection of personal data.
Best practices for companies looking to ensure ongoing GDPR compliance
I find that many companies get bogged down by the sheer volume of articles in GDPR—which is perhaps why so many have started by just updating privacy policies—and struggle to grasp the need for and purpose behind GDPR. I suggest taking these 5 actions to shift their mindsets regarding GDPR:
- Make an effort to understand the underlying reasons why GDPR was created and what it’s trying to accomplish
- Understand the culture that created GDPR, and understand that other parts of the world place a different value on personal privacy
- Take inventory of what data your company collects, and compare that to GDPR’s definition of “personal information”
- Consider how that data is being used—whether it’s for the business’s advantage to try and extract more money from individuals at the cost of their privacy, whether it’s a need driven by the law, or whether the business can benefit from the information without taking an unfair advantage. These are all legitimate scenarios as long as you get consent when you might be taking an advantage and inform the person. In all other cases, limit the collection only to the data you really need.
Written by Tomas Honzak |