The 5 biggest GDPR mistakes made by companies
Isn’t it time to show your employees and customers respect and secure the correct handling of their personal data? We have put together the most common mistakes that companies make within GDPR, which often results in high fines, badwill and lost customer trust.
Check them out here:
- Incorrect handling of email send lists
- Recruitment: wrong handling of CV databases
- Incorrect checkboxes on website forms
- Lack of GDPR training, leading to incorrect data handling of employees
- Unclear ownership towards your suppliers (Controller vs Processor)
Incorrect handling of email send lists
This is one of the most common privacy mistakes that breaches data protection law. It involves sending emails while adding people who shouldn’t have been there in the first place.
History shows that having a list of recipients that others can view is one of organisations’ most prevalent data breaches.
Recruitment: wrong handling of CV databases
Wouldn’t it be great to just keep the CV:s of the people you did not employ this time for future needs, so you could contact them later?
Many HR departments and headhunters build large databases of CV: s, and it may sound easy and practical. But it is one of the top GDPR mistakes, and it’s not strictly legal.
Companies can only keep this information if there’s a legal reason to do so. If this legal ground is no longer valid, you must delete the data. Article 13 of the GDPR says firms must tell applicants about how they use their data and for how long, among other things.
Incorrect checkboxes on website forms
Data processing for marketing purposes is often based on the individual’s consent. Most other legal grounds don’t apply to people who aren’t yet customers.
A lot of organisations are therefore eager to get permission. Yet not all consent is valuable. Sometimes, consent forms leave out important information when companies are busy making boxes for people to check off.
There are clear rules about getting permission, make sure to understand and follow them.
Lack of GDPR training
People who work for your organisation can get their hands on any piece of data. This is possible even if you have the best security measures in place. One of the primary jobs of the data protection officer or business responsible is to make sure that employees learn how to keep their data safe.
The best way to keep your data protection up to date and in high awareness of your employees is to regularly have Data Protections days or training and practice repeatedly. You will then minimize the mistakes that personal data leaks out or unauthorized staff gets access to data (and sometimes even sensitive data).
Unclear ownership towards your suppliers (Controller vs Processor)
Customer data is typically stored in a SaaS CRM, like Salesforce, WordPress, or HubSpot. At the same time, your organisation has third-party providers that manage different processes for you. E.g. paying out salaries, building web pages, identifying sales leads or setting up meetings.
In either case, you as data controller tell these companies what to do and you process the data that comes in.
At times, it’s hard to figure out who’s responsible for doing what, but in most cases, it is you as Controller that is responsible for the data that is collected, not the 3:rd party provider. They act as Process for you, handling data “on behalf of you”. Worst case you are not even aware that personal data is collected, and you are responsible. An example is Facebook pixels that are set for marketing purposes, done by a marketing agency and you did not be aware.
The data processor must also list Records of Processing Activities of your service providers.
Does your company make any of these GDPR mistakes? If you feel uncertain, let us help you!
If you know your business, we know GDPR and have the tool to secure you get compliance with the law.