The EU’s General Data Protection Regulation (GDPR) is a European privacy law that was approved by the European Commission in 2016. It will apply to all EU member states from 25th May 2018 and replace the current Data Protection Act 1998.
Among other things, the GDPR considers how organisations collect, use, store and manage personal data of EU citizens. Data collectors will be required to process personal data lawfully, transparently and for a specific purpose.
For Bike Share Schemes, this will have a significant impact on their operations across Europe. Its business model relies on collecting and using vast amounts of personal data such as names, addresses and credit card details to offer bike sharing services to its users.
Many believe it’s the data mining aspect of Bike Sharing that has attracted billions in investment. During 2017, market leaders Mobike and ofo announced that it secured $600 million and $700 million in funding respectively.
As GDPR is implemented across the EU, it is likely to impact both the operators and the investors as well. It will limit what organisations are able to do with the data whilst pushing operators to better align their data collection and handling processes.
Here’s some of the main principles of GDPR that we see impacting Bike Share operators:
- Wider Scope of the regulation
GDPR applies to all organisations that operate in the EU or handle personal data of EU citizens no matter where the organisation operates. It also has a broader scope of the definition for personal data and now includes data such as IP addresses, behavioural data, location data, and financial information.
- Increased Individual Rights
Individuals have new rights under the GDPR including the right to access the data, right to rectify incorrect information, right to restrict processing, right to portability and right to object certain uses of data.
- Stricter Consent
Consent is one of the main aspects of GDPR. It is important to obtain explicit consent from individuals for distinct purposes with a proof of record stating when and how consent was given. GDPR does allow for ‘soft’ opt-in which enables organisation to send marketing messages for similar products or services as long as individuals are given the opportunity to opt-out at any time.
- Transparent Processing
Individuals can request how their information is processed. Operators need to clarify the purpose in which the data was collected and should ensure that the purpose is limited and the data collected is as minimised as possible.
Bike Share operators across the EU will need to ensure they comply with the new GDPR. We recommend reviewing the current consent and data management process in terms of how operators seek, record and manage consent and whether it meets the GDPR standard.
Operators should also consider appointing individuals to take responsibility for data protection compliances. In some cases, it may be necessary to have a Data Protection Officer (DPO) under the GDPR.
It is also important that all organisations that work on an operator’s behalf follows the stricter regulations. The GDPR applies to data processors as well as the data controllers when handling personal data.
At Stage Intelligence, we are experienced in handling personal data and ensuring that it meets the local and regional directives. Our partners around the world rely on us to manage information with the strictest confidence. We store and use data securely and our processes are optimised to support the growth of our partners.
To ensure all existing and new processes within your Bike Share operation meet the GDPR standard, we recommend consulting with GDPR lawyers and professionals.
To find out more about how Stage Intelligence can support your Bike Share Scheme with streamlined data management processes, please contact tom.nutley(@)stageintelligence.co.uk