Since time feels like a vacuum right now, this reminder may surprise you: The General Data Protection Regulation (GDPR) was enacted over two years ago. Even though many marketers are familiar with the best practices and protections required for compliance, we’re starting to see fines roll in for companies who either are unaware of the regulation’s nuances, or who simply messed up one way or another.
While the biggest fine we know about yet was in 2019 (a 50 million euro fine), 2020 saw some huge penalties brought against large global companies. But I’d be remiss not to mention these fines are still tantamount to a slap on the wrist, as offending parties can be fined up to 4% of their global revenue! None of the fines seen yet come close to that limit, and when assessing your own risk threshold, be aware how deeply a fine may reach into your pocket.
Here are the forbidden activities drawing the ire of GDPR enforcers:
Gathering personal information without consent
It is incredibly important to only collect information your business deems essential. For example, one company recorded religious beliefs, medical conditions, and other private details of their employees in an online database which up to 50 individuals could access. These meet the GDPR definition of “sensitive” personal data, meaning the level of responsibility and care required in keeping the information guarded is even higher than normal. Plus, the information was not captured in good faith: Personal conversations were mined for data, without the party’s knowledge the information was being collected and used, rendering them unable to provide consent. This breach of privacy violates GDPR’s requirement for a sound legal basis to collect personal data, and the fine was a whopping 35 million euros.
Purchased lists cost an Italian company 14.5 million euros last year. They acquired telephone numbers for prospecting, but the list providers could not provide reasonable or compelling evidence the numbers’ owners had consented to their use. This is a major data collection no-no under GDPR, which is explicitly designed to give individuals more actionable rights over their personal information. If you do purchase lists (which we generally discourage), ensure the seller can demonstrate consent was obtained, particular for European Union data subjects. Additionally, if the data is intended for third-party use, each individual user (company) should be explicitly named as part of the consent process. Ask if the seller can show how the data was acquired, and go through the process yourself.
Keeping sensitive data unencrypted
A highly publicised cyber-attack revealing sensitive personal data resulted in an 18 million pound fine. This is unsurprising, considering the attack lasted for a total of four years, starting in 2014 and went undetected until well into 2018. This fine only applies to the portion of the attack from 2018 onwards, per GDPR’s enforcement date, but during this four-year span, varying degrees of personal data were revealed, including customers’ passport numbers.
These two particular fines serve as a good reminder for all businesses using data to ensure the data collected is necessary. If the information is irrelevant to your business operations, securely delete it and ensure there is no way any data breach could expose both your customers’ and your employees’ personal (and intimate) data.
Disregard for cybersecurity best practices
This year, a 20 million pound fine was levied for a 2018 data breach that exposed 400,000 customers’ data. Here is the key: The investigation found the organisation should have known of the weaknesses in their IT infrastructure and strengthened to prevent an attack. It’s no use claiming lack of awareness. If you haven’t already done a full audit of your data collection and storage protocols, it’s way past time.
Don’t forget GDPR legislation applies to businesses of all sizes and even small, seemingly inconsequential choices can represent a breach. If a PDF document containing personal data is emailed errantly to the wrong recipient, this is considered a violation. If an employee has personal data on their laptop and it’s stolen, this is also a GDPR issue. Even if your annual revenue is only 100 euros, you could still be fined a portion of it. Everyone has a role to play in staying on top of these data privacy best practices, and training your employees to be diligent with data will pay dividends in return.
Our advice on data collection is simple: collect it on your own properties and in good faith. Do not imply user consent – actively confirm it, and remove problematic or risky data from existing lists. While this may all seem less pertinent to American companies, let’s be very clear. If your business is contacting anyone in the EU, you are subject to GDPR’s requirements regardless of your own physical location.
Speaking of locations, it won’t be surprising to see the United States adopting more aggressive data privacy legislation after the massive and shocking SolarWinds hack. Similar legislation is being introduced in many states, and some has even already passed, such as in California. Rather than scramble to ensure your house is in order, it would be wise to proactively adopt standards adhering to GDPR, and get ahead of the curve.
It may seem like a lot of work, but…how much is 10 million in fines worth to your business? Is the choice you‘re making worth 4% of your global revenue? Stay on the right side of GDPR and enjoy not only the peace of mind you won’t be fined any amount, but also the benefit of clean data from engaged prospects.