We’re barely a few months into GDPR. The confusion and anxiety that businesses faced with respect to GDPR compliance before the regulations became law, unfortunately, are still prevalent. Not surprising! Some businesses were proactive enough to dig deep, engage with cybersecurity and data protection experts, and seek dedicated GDPR readiness services. Most, however, chose to wait and watch, citing lack of clarity as a major deterrent for GDPR compliance. The half-hearted and uncertain approach that many businesses have adopted toward GDPR means that they’ve not dug deep and not grasped the true essence of GDPR. Also, this means that businesses are committing mistakes, and putting themselves at major risks of data theft, as well as GDPR noncompliance. Here’s a guide to help you avoid the most common of these GDPR mistakes.
GDPR mistakes #1: Assuming regulation doesn’t apply to you
The regulations couldn’t have been clearer — GDPR applies to every business that either operates in a European Union nation or deals with any kind of personal data of a resident of EU. The UK is also included in this list of countries. That’s because the Brexit hasn’t materialized yet even though the people have voted for it, and GDPR is already a law.
It’s surprising how businesses still cite their confusions about GDPR’s applicability to their business when the business is registered outside the EU. For global businesses, it’s a fair assumption that EU nations are a part of their target market.
Even a new business that’s still expanding, let’s say beyond the Americas, is likely to sell to European Union customers. The moment that happens, GDPR becomes applicable to them.
Lack of knowledge or “confusions” won’t be handy when GDPR noncompliance creates expensive litigation for your business (though some businesses have opted to refrain from allowing anyone in Europe to use their site). Instead, recognize that you either already need to be GDPR compliant or will be required to be so very soon (as soon as an EU resident creates an account on your business website).
GDPR mistakes #2: Cherry-picking directives from the vast GDPR text
Consent management, the right to be forgotten, and the need for data protection officer (DPO) – these are a few of the most-talked-about GDPR requirements. These are, indeed, the core of GDPR. However, businesses are mistaken in believing that this is all that is to GDPR!
GDPR is a long document, with 11 chapters and 99 articles. The coverage of this law is expansive.
All you need is a quick look at the law to understand that there’s a lot more to it than what’s generally talked about in web forums. Transfer of data across borders, joint controllers, dispute resolution — we’re just getting started, the world of GDPR is wide open.
The problem is that there are very few authoritative sources of information offering the complete picture on GDPR. The result — businesses only identify aspects that are most immediately and prominently relevant to them. Whereas it’s a prudent strategy to begin, it doesn’t serve well if businesses don’t embrace GDPR in all its comprehensiveness.
GDPR mistakes #3: Failing to identify personal information
Note that GDPR is essentially an extension of the Data Protection Law already in place in the EU. A major change, however, is that the definition of Personally Identifiable Information (PII) has evolved.
Humans leave massive data trails of their personal lives while using the Internet, and while interacting with businesses that are digitally empowered. Hence, “personal information” can’t just be limited to a customer’s IBAN (International Bank Account Numbers), IDs, emails, contact information, etc. PII, as per the new definition, is any information related to an identifiable natural person.
Businesses fail to understand that they can’t merely start managing and protecting structured data to be GDPR compliant. Unstructured web data must also be in scope. Social media posts, profile images of customers, IP addresses of the devices, their geographic locations — all this information is also personal.
The directives of GDPR, pertaining to personal information, are very strict, and constitute the backbone of the law. Without knowing which information is “personal,” businesses can’t hope to protect and safeguard it adequately.
GDPR mistakes #4: Failure to keep evidence of compliance
If you are called upon to explain how your business dealt with a specific kind of data, how do you do so? The burden of proof rests with you, and the costs of failure are massive. Consider the “purpose limitation principle” of GDPR.
The principle states that any data you collect from a customer must only be used for the purpose it’s collected for. Businesses, hence, need to be prepared to prove it to legislators. This can only be done by keeping track of all instances where the data is used, right from collection to use.
This problem extends to almost every aspect of GDPR and is one of the most contentious issues even for businesses that are sitting pretty in terms of GDPR compliance. Generating proof for regulators and lawyers when called upon to do so, that required businesses to focus on building these capabilities:
- Implementing data lakes, where the organization is able to reconcile information across systems and processes.
- Accurately establish relations between data sources to track the lineage of data.
- Establish strong audit practices to trace data trails.
- Build robust processes to share data with relevant internal and external stakeholders.
GDPR mistakes #5: Not being able to delete a customer’s data
The right to erasure, an important directive of GDPR, requires businesses to be able to completely delete all master data records of a customer.
This is clearly different from the traditional data archival strategies adopted by businesses. This creates major challenges for businesses, some of whom are not even able to understand the true implications of this directive.
The days when you could deactivate or delete some of the user’s information, and fearlessly use his or her contact information to send marketing communications — they’re over. Once a customer requests a business to delete their information, every master data record has to disappear from the company’s files.
So businesses need to build methods to tie master data records together, and to keep evidence of all that they do to delete the information.
GDPR is here to stay. Eventually, it could help businesses scale their digital security processes up to the enterprise-grade (which is a good thing, for everyone).
Also, before the EU authorities start taking a stern no-tolerance stand toward noncompliant businesses, it’s imperative that you understand the common GDPR mistakes organizations are known to commit and how to correct them.
Featured image: Pixabay