It has taken four years, but on 14th April 2016, the long awaited EU General Data Protection Regulation (GDPR) was adopted. This is the most far reaching piece of data protection legislation ever. It applies to companies serving customers in the EU and will impact organisations worldwide, including the UK (regardless of the referendum outcome). The ante has been upped in two major ways: 1) Much larger fines – up to 4% of turnover or 20M euros, 2) Stronger enforcement – meaning greater reputational risk.
Data that could be used to identify individuals is considered personal data, which means that location data (especially when combined with other data or unique identifiers) will be subject to much greater scrutiny. Individuals will have the right not to be subject to automated decision making (including profiling).
What does this mean for the emerging information ecosystem? We are entering a world in which data owners monetise their data assets, aggregators create data products sold via APIs, service providers deliver applications to customers built on this supply chain and location data is the glue that holds a lot of it together. We can expect the model of the online advertising ecosystem to become adopted by other industries. Companies up and down the chain will need to take a long hard look at their data products, information management processes and privacy measures.
Andrew Keevil assists technology companies with strategy and marketing, specialising in new proposition development.