What is considered personal data, or “personally identifiable information” (i.e. data that is able to identify an individual) now includes IP addresses of digital devices, social media usernames and images of consumers’ faces. So, if you’re storing photos that include individual’s faces or in some way processing social usernames, you need to obtain explicit consent first.

One of the core principles of the GDPR is to give individuals control over their data and to enable them to make clear and informed decisions about companies’ use of it. But in an effort to ensure compliance, many companies are actually giving people too much information, written in the very best of legalese. Instead, businesses need to be clear, open and concise about what data they are using, what they are doing with it, and why.