Keeping Private Data Private: EU’s New Regulations

The General Data Protection Regulation (GDPR) is the European Union’s new common framework and is expected to be enacted by 2018. Under these new guidelines, member states must implement a set of common regulations, yet can include local additions.


The common regulations are founded on the principles outlined in the EU Directive 94/46/EC, while aiming to remove confusion and ambiguity in interpreting these principles.

 “The regulations might be modified before they are approved but businesses should start to evaluate early and have strategies in place to minimize impact.”


Notice and Statement of Purpose. Consumers must be provided with proper notification of what data is being collected and for what purpose in advance of a transaction and at the time the transaction is completed.

No Blanket Opt Ins. Consumers must have the ability to opt out of the collection or storage of data about them unless it is required to complete the transaction. Even when information is necessary, consumers should be able to request that the data is “forgotten” unless it would negatively impact warranty or support services. Consumers must explicitly “opt in” if their data is to be used for purposes beyond what was originally stated. Consumers can also change their minds at any time and opt out even if they previously approved.

Audit and Penalties. The EU can audit companies at any time and non-compliance can lead to significant penalties – up to 4% of annual revenue for each breach of the rules. Intermediaries who collect or analyse data are equally liable.


Businesses that require data collection and analysis have to ensure all transactions and interactions with their consumers adhere to the new framework. Every loyalty program, cumulative discount, or cash-back program and consumer activity database will be affected.

CIOs need to modify their existing systems or create new ones to allow consumers a way to access, verify, and correct their data. Robust processes will need to be put in place to oversee data privacy processes and protections.

The regulation applies to information related to EU citizens whether or not they (or their transactions) are located in the EU. It also applies to all non-EU citizens conducting transactions within the EU.

The information shared in this article provides general information only, and not advice. Should you need help or specific details about your operations in the EU, please write to us at or call +1-408-913-9130 to speak to our experts.