The European Union’s General Data Protection Regulation (GDPR) is a complex and sweeping data protection law that has left companies all over the world scrambling to rethink their data handling processes. Unfortunately, ensuring full compliance with the 88-page regulation isn’t easy. In fact, many companies are still making mistakes — and with penalties maxing out at 4% of annual global turnover, in addition to potential damages payable to affected users, slipping up can be costly.
Here are 5 of the biggest errors we see companies making as they figure out how to handle their obligations under the GDPR:
1. Assuming the GDPR doesn’t apply to you
As you’d expect virtually all companies with operations in the European Economic Area are required to comply with the GDPR. But that doesn’t mean you’re off the hook if you’re based elsewhere in the world. Under the terms of the GDPR, companies that collect or process data for the purposes of doing business with European customers must comply with the regulation. An occasional European visitor to your company’s website won’t necessarily trigger the GDPR. But if you’re soliciting business from Europeans, such as by advertising in Europe or including prices in euros, then you’re likely to fall under the regulation.
2. Misunderstanding the scope of the statute.
It’s easy to assume that as long as you’re getting users’ consent before you collect their personal data, you’ve insulated yourself against any potential problems. Unfortunately, though, the GDPR is much more far-reaching than that, and collecting consent is only the beginning. The GDPR actually secures 8 key rights for data subjects, including the right to amend or revoke consent; the right to obtain copies of or to amend any collected data; and the right to have their data “forgotten” or completely deleted, or to object to the ways in which it’s being processed.
For most companies, that can’t be managed simply by asking permission to set various types of cookies to log consent. Instead, you’ll need a systematic approach that lets you track a user’s personal data throughout your system, and ensure it’s never used for purposes to which a user objects. You’ll also need to be able to extract data from your system, explain where and how it is used, or discontinue processing that data on demand. For companies affected by the GDPR, static cookie-based strategies simply aren’t good enough.
3. Counting on partners doing their jobs right.
In the modern world, dataflows don’t end neatly at the boundary of your organization — they spill over to third parties and outside partners. The GDPR makes clear that data controllers aren’t responsible solely for their own handling of a user’s data — they’re also directly liable for any errors or missteps made by other processors, such as downstream partners and vendors, who use the data.
In other words, it’s no longer enough to simply put policies in place to manage your own handling of personal data. You also need to ensure that you’re promptly and reliably communicating with partners about how data can be processed. If your user revokes consent, that signal needs to propagate promptly across your entire data ecosystem, including any third parties who’ve accessed the data, in order to shield you from potential liability for GDPR noncompliance.
4. Expecting IT pros to be policy experts (and vice versa)
GDPR compliance requires both policy chops (to figure out how personal data should be handled) and IT savvy (to figure out how to implement that across your data ecosystem). Too often policy experts feel obliged to weigh in on IT implementations, or IT teams have to parse the nuances of the statute when writing code. That can lead to mistakes as people step outside their areas of expertise, or slow the pace of innovation as projects are increasingly run by committee and require multiple stages of legal and technical approval.
The key for successful GDPR compliance is to develop an approach that allows legal teams to define acceptable forms of data usage, then rapidly and frictionlessly translate those perspectives into actionable guidance for IT teams. In an ideal world, your legal teams should never need to read a line of code, and your IT specialists should never need to wade into the dense legal language of the GDPR itself.
5. Dealing with the GDPR in isolation
The GDPR has changed the face of global data privacy regulation; increasingly, in the post-Snowden world, regulators are looking to create muscular regulatory frameworks that place significant new burdens on data controllers and processors. But here’s the rub: while many of the frameworks now being implemented share the same goals, they impose unique and varying obligations upon organizations.
It isn’t enough to simply upgrade your data-handling infrastructure to ensure GDPR compliance. Instead, organizations need to create flexible and responsive systems that can rapidly adapt to new regulations and requirements as they are introduced. From new data laws in California and Brazil to sweeping privacy measures in India and China, organizations need to plan for the future, and put infrastructure in place to help them remain compliant with a fluid and constantly changing global regulatory landscape.
All of these mistakes are easy to make. Fortunately, they’re also easy to avoid. The key is to take the GDPR seriously, and not to try to handle everything internally. Whether it’s mastering the policy nuances or figuring out how to translate them into workable IT and data-handling infrastructure, it pays to partner with a specialist.
That’s where Ketch comes in. Our founding team’s background in advertising and marketing technologies and data infrastructure gives us a deep understanding of the ways that data flows through modern businesses. We also understand the challenges that companies face as they try to adapt those dataflows to the requirements of the GDPR without disrupting their daily operations.
Using our technology and our in-house expertise, we can translate your specific requirements and obligations under the GDPR into customized, crystal-clear data-management policies. Crucially, we also automate the process of querying datasets subject to those policies — so your coders and developers can implement call-outs to automatically check whether a specific action is permissible for a specific item of personal data.
With Ketch, your IT teams don’t have to fret about the nuances of privacy laws, and your legal teams don’t lose sleep over specific implementations. And because permissions are handled centrally, you can be confident that any changes will propagate instantly across your entire data ecosystem, including outside partners, to ensure continuous GDPR compliance.
That adds up to a frictionless and robust toolkit for companies affected by the GDPR. So stop fretting about making costly mistakes — and get in touch with Ketch to find out how we can streamline your data compliance.