You may have recently seen several articles about the EU General Data Protection Regulation (GDPR) which is coming into force 25th May 2018. This regulation is designed to harmonise privacy laws across Europe and give control to individuals as to who they allow to store data about them. Organisations operating in the EU will have to get consent from individuals to store personal data about them and take measures to ensure the security of that data.
Organisations require a lawful basis for processing personal data. Not only do they need explicit consent from individuals to store their data, they need a lawful reason for storing and processing it e.g. for performance of a contract for supplying goods or services or due to legal obligations of the organisation. Data should be kept for no longer than is necessary, so organisations will have to have data retention periods.
Individuals have the right to request from organisations the personal data held about them and how this data is being processed. They also have the right to request that an organisation erase their personal data, “the right to be forgotten”.
Companies face heavy fines if they do not adhere to these regulations. More info can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/