Why Cooperating With Non-GDPR Compliant Companies Can Actually Put Your Own Company at Risk
Have you checked to see that your partners are as well prepared as you are?
You've put all the right processes in place, from data collection to processing, storage and deletion on request. You're ready for GDPR. Bring it on, Data Protection Authority!
But, if you're like most organizations, you work within a larger data ecosystem; it's simply a necessity to get and use the data you need to effectively operate in 2018. Have you checked to see that your partners are as well prepared as you are? Because the list of cases of third-party data carelessness is only growing.
As someone who has spent the last decade running two advertising and marketing companies, I'll focus on the risks concerning personal data in those industries. Other types of data are of course relevant and affected by GDPR. However, marketing data is a great example as we're all dependent on it to plan brand strategies, create engaging campaigns, capture buyer personas and understand the customer journey.
What would happen if you suddenly lost all this data?
Decision makers would be blind, the brand compromised. The enterprise would be exposed to a string of costly and time-consuming operations that everyone would rather avoid. Recent data breaches involving British Airways, Feedify and Ticketmaster shook public opinion, but how could the business sector be prepared if none of us ask each other about the security of our software?
A week before the GDPR went into force, we asked companies from the adtech and martech sector about their planned policies, and 66 percent of respondents declared that they will only cooperate with GDPR-compliant partners.
In contrast, only 31 percent received a similar declaration from partners.
This tells us that most businesses aren't checking whether their partners are GDPR-compliant, which is a critical mistake because regardless of whether a company is a data processor, controller or a joint controller, it's exposed to a high level of risk and consequences.
What are the most likely GDPR-related crisis scenarios?
1. You receive data from a partner that didn't carry out the proper consent collection process.
"Proper consent" according to article 7 of GDPR means "freely given, specific, informed and unambiguous," which doesn't seem like a popular consent collection strategy. In the case of a Data Protection Authority investigation, you might be obliged to erase all the data obtained from a partner that won't be able to present properly collected consents. If your company is a joint data controller, it will face some serious fines as well (up to €20 million or 4 percent of the annual worldwide turnover).
2. You obtain or share data with a partner that doesn't provide mechanisms to edit or erase user data.
Apart from the scenario in which you are sending a mass email marketing campaign to an illegally collected database, which seems obviously wrong, you can still make a lot less spectacular mistakes like simply working on stale data, erroneous segments or mistargeted campaigns. In the case of an investigation, depending on whether you are the co-processor or co-controller, you would have to erase all the data and the company could face financial and legal consequences.
3. One of your data processors gets hacked.
If you collect website data through trackers from companies without proper privacy and security measures in place, your company could face the consequences of their poor decisions.
In the event of a hack or leak, your customers' personal data that was stored by the processor could be exposed. The first and most painful step would be informing victims of the breach. You'd experience the same negative consequences as if it were a data leak from your own systems. This not only means a PR crisis, but also a significant amount of time and money to fix the problem, not to mention the eventual Data Protection Authority investigation.
How can you verify partners and avoid problems?
1. One of the most crucial parts of your company's security procedure is a Data Processing Agreement (DPA). There are different elements you can include in your DPA but the important part is to have one. In the case of a breach or investigation, a DPA has a decisive influence on your liability when it comes to possible transgressions.
2. Read your partner's privacy policies and try to test them. Ask for data access or erasure. Check if the consent collection process is GDPR-compliant and verify if tags are fired according to the level of consent given. You can do this by using simple plugins like Ghostery, Privacy Badger or Disconnect.
3. Ask partners about their data-processing vendors and subprocessors. Confirm whether they have DPAs with them. Remember that if you entrust or sell data to a third party, it becomes part of a huge data chain which may be exposed to attacks.