At its heart, the EU General Data Protection Regulation (GDPR) is intended to strengthen the rights of EU citizens to determine how their personal data is processed by organizations operating in the EU and abroad.
Per the official EU GDPR web portal, the regulation impacts all companies who “offer goods or services to—or monitor the behavior of—EU data subjects…regardless of the company’s location.” Unlike previous policies and directives, the GDPR is backed by significant penalties for non-compliance.
Under GDPR, organizations may only use customer-provided data for the purpose in which said customers have provided consent. For geographically and transnationally dispersed enterprise companies this represents an area of considerable GDPR compliance concern. For instance, under GDPR, Personal Data collected by a company from a customer to complete a transaction cannot be shared with that company’s marketing department unless the customer has also provided explicit consent for that purpose. The GDPR empowers both customers to control their Personal Data, and the regulatory bodies conducting oversight on their behalf. To that end, ensuring and reporting upon data provenance will receive increased scrutiny.
GDPR also ensures customers have the “right to be forgotten.” By nature of legacy data handling architecture and business process, this may present the most difficult GDPR compliance challenge an enterprise-scale company is likely to face.
Not only does the right to be forgotten include the Personal Data directly related to a particular user, but it may also include data derived from the analysis of that user’s overall profile. For example, algorithmically derived recommender data generated by the analysis of a customer’s purchase history also falls under the GDPR rubric.