Now that the GDPR is a month away, companies have accelerated their efforts to meet the requirements of this new European law. There are a number of things you have to consider. First of all, you have to explain your customers what your are doing with their personal data and must do it in a way that your customers understand this. Consent of your customers must be given freely, specific, informed and unambiguous. Any statement you make must be consistent with your practices, so be sure that you meet the needs of your business. You have to provide your contact details – the GDPR requires businesses that collects personal data to identify themselves. For example, if you plan to collect data for online advertising purposes, explain your advertising activities and describe the cookie or tracking technologies you are using. It’s important not to forget that you have to collect consent from existing contacts too: so if you have data from past campaigns, you’ll have to inform them as well.
Customers have the right to access their personal data and businesses must also give customers a copy of the actual data. The data must be in a format that doesn’t prevent customers to transfer it to another system: a straightforward choice is a CSV File and if you happen to have images or other non-ascii binary data, just create a ZIP File and refer to the binary files from the CSV File. An exception is data that has been sufficiently anonymised , i.e., there is no means to link data to individuals. Note that both data being given by and data being observed by your system, e.g. event data generated by behaviour tracking in apps, has to be included – unless the data cannot be linked to specific individuals. If you share the data with third parties, you have to disclose this as well – if you have acquired personal data (a dataset) from a third party, you have to inform the individuals of the dataset too.
In a nutshell: there are a lot of details you have to consider when working with personal data. We believe that the best way of dealing with the GDPR, is simply not to have personal user data, and if not possible to minimize the amount of personal data that you collect. Our qonnect platform provides mechanisms that do not need personal information about users, like email, names or phone numbers to identify users on our platform. Our system generates random numbers as identifiers (for users) that cannot be attributed to a specific individual and thus users remain anonymous. Still, businesses (from which we have “personal information” from, since a business must register on our platform with contact address, email, phone) can reach users on our platform, since users express their interests by subscribing to topics they are interested in. It’s a simple mechanism and we think that this helps to (re-)build trust of users with businesses.
However, this is just the first step on a long journey with the goal of respecting the privacy of users. Remember the cartoon from Peter Steiner in the New Yorker stating that “On the Internet, nobody knowns you’re a dog”? Looks like it’s time for anonymous dogs again, or at least for avatars that protect your privacy.