GDPR

Why Cooperating With Non-GDPR Compliant Companies Can Actually Put Your Own Company at Risk

Have you checked to see that your partners are as well prepared as you are?
Why Cooperating With Non-GDPR Compliant Companies Can Actually Put Your Own Company at Risk
Image credit: Shutterstock.com
Guest Writer
CEO of Clearcode and Piwik PRO
5 min read
Opinions expressed by Entrepreneur contributors are their own.

You've put all the right processes in place, from data collection to processing, storage and deletion on request. You're ready for GDPR. Bring it on, Data Protection Authority!

Related: With GDPR Disrupting Email Marketing, LinkedIn Is the Best Alternative

But, if you're like most organizations, you work within a larger data ecosystem; it's simply a necessity to get and use the data you need to effectively operate in 2018. Have you checked to see that your partners are as well prepared as you are? Because the list of cases of third-party data carelessness is only growing.

As someone who has spent the last decade running two advertising and marketing companies, I'll focus on the risks concerning personal data in those industries. Other types of data are of course relevant and affected by GDPR. However, marketing data is a great example as we're all dependent on it to plan brand strategies, create engaging campaigns, capture buyer personas and understand the customer journey.

What would happen if you suddenly lost all this data?

Decision makers would be blind, the brand compromised. The enterprise would be exposed to a string of costly and time-consuming operations that everyone would rather avoid. Recent data breaches involving British Airways, Feedify and Ticketmaster shook public opinion, but how could the business sector be prepared if none of us ask each other about the security of our software?

A week before the GDPR went into force, we asked companies from the adtech and martech sector about their planned policies, and 66 percent of respondents declared that they will only cooperate with GDPR-compliant partners.

In contrast, only 31 percent received a similar declaration from partners.

This tells us that most businesses aren't checking whether their partners are GDPR-compliant, which is a critical mistake because regardless of whether a company is a data processor, controller or a joint controller, it's exposed to a high level of risk and consequences.

Related: How Small Businesses Can Survive in the Age of GDPR

What are the most likely GDPR-related crisis scenarios?

1. You receive data from a partner that didn't carry out the proper consent collection process.

"Proper consent" according to article 7 of GDPR means "freely given, specific, informed and unambiguous," which doesn't seem like a popular consent collection strategy. In the case of a Data Protection Authority investigation, you might be obliged to erase all the data obtained from a partner that won't be able to present properly collected consents. If your company is a joint data controller, it will face some serious fines as well (up to €20 million or 4 percent of the annual worldwide turnover).

2. You obtain or share data with a partner that doesn't provide mechanisms to edit or erase user data.

Apart from the scenario in which you are sending a mass email marketing campaign to an illegally collected database, which seems obviously wrong, you can still make a lot less spectacular mistakes like simply working on stale data, erroneous segments or mistargeted campaigns. In the case of an investigation, depending on whether you are the co-processor or co-controller, you would have to erase all the data and the company could face financial and legal consequences.

3. One of your data processors gets hacked.

If you collect website data through trackers from companies without proper privacy and security measures in place, your company could face the consequences of their poor decisions.

In the event of a hack or leak, your customers' personal data that was stored by the processor could be exposed. The first and most painful step would be informing victims of the breach. You'd experience the same negative consequences as if it were a data leak from your own systems. This not only means a PR crisis, but also a significant amount of time and money to fix the problem, not to mention the eventual Data Protection Authority investigation.

Related: With GDPR Restrictions on Using Consumer Data, Marketers Will Need to Start Mining Moments

How can you verify partners and avoid problems?

1. One of the most crucial parts of your company's security procedure is a Data Processing Agreement (DPA). There are different elements you can include in your DPA but the important part is to have one. In the case of a breach or investigation, a DPA has a decisive influence on your liability when it comes to possible transgressions.

2. Read your partner's privacy policies and try to test them. Ask for data access or erasure. Check if the consent collection process is GDPR-compliant and verify if tags are fired according to the level of consent given. You can do this by using simple plugins like Ghostery, Privacy Badger or Disconnect.

3. Ask partners about their data-processing vendors and subprocessors. Confirm whether they have DPAs with them. Remember that if you entrust or sell data to a third party, it becomes part of a huge data chain which may be exposed to attacks.

More from Entrepreneur

One-on-one online sessions with our experts can help you start a business, grow your business, build your brand, fundraise and more.
Book Your Session

Whether you are launching or growing a business, we have all the business tools you need to take your business to the next level, in one place.
Enroll Now

In as little as seven months, the Entrepreneur Authors program will turn your ideas and expertise into a professionally presented book.
Apply Now

Latest on Entrepreneur

My Queue

There are no Videos in your queue.

Click on the Add to next to any video to save to your queue.

There are no Articles in your queue.

Click on the Add to next to any article to save to your queue.

There are no Podcasts in your queue.

Click on the Add to next to any podcast episode to save to your queue.

You're not following any authors.

Click the Follow button on any author page to keep up with the latest content from your favorite authors.