Businesses must acknowledge that being transparent about how data is used and protected is now required by law. Each organization (including charities and public sector entities) must define a scope for which they collect specific data.
You should only collect personal information that is needed to provide the service or product and nothing more. Also, the data should not be shared for other unrelated purposes.
Another big thing is to keep the data safe from hacking, accurate and up to date, and even delete it after a period.
General Data Protection Regulation is leaving lots of room for improvement when it comes to protecting individuals. This is why the future ePrivacy Regulation will bring even more transparency, especially in Big Data, shedding some light on occurrence and purpose of analytics. This should be a good enough reason to monitor and audit your data on a regular basis.