Everyone is doing their best in order to be GDPR compliant. However, there are some quite ordinary day-to-day routines that are considered to be unsafe and illegal due to GDPR. Yet they take place daily in many teams. Have a look at the three routines you should pay attention to – and consider acting on:
1. You share information given to you with others without consents
Why is this a problem?
When you share a contact from your phonebook or an old business card you were given a couple of years ago, with a colleague or person outside your organization, you actually handle personal data without consent.
One of the basic principles of the Data Protection Act is the requirement for adequate security when processing personal data. If companies and organizations do not comply with the requirement, it will in all probability lead to financial sanctions.
What can you do differently?
Your company must ensure that you have a secure procedure for handling data obtained through e.g. business cards. You can use a tool like Stinto that alerts the data owner, each time you share this person’s data with someone else, or you share the data with your CRM. By using Stinto as a data handler, you automate the otherwise manual procedures that secure you remain GDPR compliant.
2. You collect consent through manual procedures
Why is this a problem?
One of the hardest things to implement in companies is new manual procedures. Though necessary and even mandatory all things manually handled comes with the risk of failure. Often due to forgetfulness or because it seems inconvenient or even unnecessary for a few in the organization. That said, it only takes a few people to go against the flow in order to end up in a non-compliant situation. You can set up procedure checks for adding new leads to CRM, your email lists, etc, but as long as they are manually executed there is no way to know you are compliant, you can only assume you are. And the more people adding contacts manually the greater risk of ending up non-compliant.
What can you do differently?
Limit the number of procedures that require manual handling and replace it with digital flows whenever possible. By streamlining and automating the processes you use to collect and process personal data, makes it more manageable and reduces the risk of mishandling personal data when transferring it between different systems.
3. You use information collected for one purpose for a completely different purpose
Why is this a problem?
You may collect feedback through your website where customers provided personal information along with their feedback. If this data is stored and later used for a new purpose – for example for marketing, it is necessary to obtain specific consent for both purposes. The same goes when your sales team obtains a business card at a conference and then enters the details in your CRM or adds them to your email marketing lists, without letting the data owner know.
What can you do differently?
If the personal data is processed on the basis of consent, the consent only applies to the specific purpose (s) stated when obtaining the consent. In other words, you need to ask for consent for the purposes for which you are going to use the information.
There are a number of strict requirements for the validity of consent. Among other things, it must be clear to the user which information is processed and for what purpose consent is given. At the same time, the user always has the right to withdraw his consent. An example could be that Kim gave his business card to Michael when Michael was working for company X. However, now Michael works for company Y and brought the business card with him to their CRM. This raises the question if Kim actively gave consent for Michael to use the data for company Y and if not, did company Y just unknowingly become non GDPR compliant?
If you use Stinto to handle data the user is always notified when changes in the network occur. In the example above the app would automatically have notified Kim that Michael changed jobs, and now added Kim’s contact into a new CRM. In addition, Kim would through the app have access to a full list of who has his card making it easy to withdraw consent, just as the law requires.
If you want to know more about how you can use Stinto to avoid making these mistakes, contact Stinto here.