How to train your dragon

2019 holiday hiatus had me thinking about what we labeled as the Big Dragon in the past year: GDPR. The General Data Protection Regulation has been among us for quite a while, so I have selected from different areas some funny GDPR episodes that I came-across in 2019.

START UPs – “My IT guy hosts my e-mails and website.”

In the life of a startup, every penny is essential. We know that most people have that “IT guy” who can cover some IT needs for free or for a derisory cost, of course depending on the level of friendship.

In most cases, your IT guy has a bigger client with a considerably large and more performing server which he uses for hosting all his small client’s data (including yours). In this case, your data is hosted unlawfully by an unknown party, without your approval and most important, without “the bigger client’s” consent, not to mention in an insecure way. Even though I fully support charity activities, I do not recommend asking or letting your IT guy host your website, your e-mails, or any kind of data if he is not authorized for those activities.

Take control of your data, because this procedure can easily lead to your data being deleted or used for any other purpose than for which you have sought permission.

MANUFACTORY & ART – “someone called me to buy my painting, which was at a framed office.”

Paintings, vintage objects, jewelry, watches, and all other valuable goods need periodical maintenance. Indeed, it is a must to return each good to its owner but, if you are one of the companies which offer maintenance services, I do not recommend applying a label with the owner’s name on the goods.

Instead, use a unique identification number. By doing so, you avoid disclosing to your staff, service providers, or third parties that Mr. X (which, for example, can be a political figure) has a painting valuing possibly a 6-figure amount.

ONLINE SALES – “my employee asked if I am pregnant because I received a delivery at the office on which was mentioned: ‘some baby stuff’, but in fact, it was for my nephew.”

It goes without saying that delivery companies collect personal data, as they need it to carry out their activity, but figuring out how much data you need should not be subsidiary. To put it simply in this case, the content of any delivery package should be private.

MEDIA – “if you do not reply in 30 seconds, we presume that you consent to use your number for marketing purposes.”

There are a few big actors who have massive databases. Guided by the GDPR frenzy, they started sending consent messages. Even though consent messages are not necessary for a relationship with your clients, not replying in 30 seconds to a message would never be considered obtaining someone’s consent. The same with using a pre-ticked consent box and vague opt-outs within registration forms.

The Regulation has some stringent rules on consent and it clearly explains what kind of obligations you must meet. In other words, consent must be freely given, specific, informed, unambiguous and it can be revoked.

MEDICAL SECTOR – “small world, reading the subscription list for newsletters, I’ve discovered that we have the same therapist.” 

The success key of all industries are recurrent clients, and we all want to keep them updated about our services, but the self-subscription physical list is not really a praiseworthy idea for collecting their e-mails and phone numbers. Imagine a photo with that full list (having your logo on the top of it) traveling on the internet because you have a public figure as your client.

One of the premises of the Regulation is to ensure that information held by any entity is perfectly safeguarded and therefore customer privacy is protected. Failure to do so can line you up for generous fines and put your organization under serious financial risk.

“my doctor is very practical: I receive my medical records on WhatsApp and e-mail, just one click” or “at the beginning, I was shocked, I thought that I’m ill, but the analysis was not mine, there is someone else with the same last name as mine.”

Practical, but not safe! Sensitive data should not be sent in plain text by e-mail or WhatsApp, the more so as nowadays, it is elementary to use an encryption tool. Given the situation, I encourage you to meet up with the IT guy from point 1 of this article.

One of the primary principles of the Regulation states that is prohibited to process personal data concerning health. Along with health relating data, in the prohibited area, you can also find personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and even genetic data.

WEB DEVELOPERS – “This is the cheapest solution”

The same IT guy invoked up-above is the one who selects your cookie providers, naturally, based on your needs. It is fundamental to choose EU service providers, or if they are from over the ocean, check if they have a Privacy Shield.

As the most significant EU initiative in the last years, the GDPR includes a mention of the magic cookies because we all know that cookies can easily identify an individual or to put it differently, ‘personal data’.

With a lot of rules, directives, and regulations about cookies, it is important to keep in mind that you must reveal all cookies operating on your website so that the respective person can make an informed choice of consent or revoking of consent. Also, you must withhold them until you have a clear user consent, that is always freely given and not a condition for using a service.

WEBCAMS – “I can see what’s happening in my stores using 3 clicks.”

I understand it’s essential to assure the security of your store, team, and products, but don’t forget about the privacy of your clients and employees.

You should normally avoid the unencrypted transmitted signal from the webcams to your server and connecting your webcams to the same free wi-fi network used by your clients. There is a reason why your IT guy split your internet into two wi-fi networks. Switching your device to the public wi-fi is more of an invitation for hackers to access your server where all the juicy data is.

A quick tip: splitting your internet connection in two: “Public Wi-Fi” and “Private Wi-Fi” is a technical setup from your Wi-fi router and doesn’t involve any change, extend or update of your internet subscription.

In this case, it’s better restricting access to the webcams to the security responsible and always use a passcode for your phone. Some nosy knights may be just around the corner.

So, my upshot is, in fact, a kind reminder for all you ‘actors’ out there, please do not dive into oblivion. Check out the Regulation, embrace it, apply it, be compliant, even get yourself a DPO. Use GDPR in order to deliver real value for your customers, by building trust and loyalty. The Regulation is not as knotty as it may seem. After all, there is basic common sense in there.