Pitfalls of GDPR

    The main mistake in introducing GDPR is to rely on the strength and resources of only one person. A common practice is to expect independent work on the Rules from a lawyer. In such a situation, if he does not have enough serious weight in the organization and cannot convince his colleagues of the need for overall coordinated work, then everything will come down to preparing useless document templates that will not protect the company.

    GDPR does not realize alone

    Even worse if it is not even a lawyer. Having given GDPR questions to a copywriter or marketer, you can get a template privacy policy (privacy policy) on your website. Do you remember why this is bad ? In such a policy, your users will not see why you took their phone numbers when signing up for an email newsletter. And then they will be surprised to receive a call with the offer of a product or service. Bottom line: double complaint for direct marketing and privacy policy.


    Moral: Compliance with GDPR is teamwork. Compliance department, lawyers, information security or IT infrastructure department, marketing and sales, HR department (if there are employees in the European Union), production and functional departments - dream team when implementing the Regulation.

    Explore requirements comprehensively

    A narrow focus on innovation to the detriment of the overall GDPR is a common mistake. Starting to draw up a privacy policy or consent to the processing of personal data, companies often forget about the rules that have existed for decades. Rules that migrated from the old Directive 95/46 / EC to the GDPR. If you read only brief overview publications about GDPR innovations, then you probably do not know about such rules. Meanwhile, the GDPR does not abolish the rules of the Directive, as explicitly stated in the 94th article and the 171st preamble. The fines for non-compliance with certain rules are equally high.

    Assess risks

    And do it everywhere. The GDPR has moved the protection of personal data from the rails of checklists towards risk assessment. Based on a risk analysis, you need to independently develop documents and determine what measures should be taken. At the same time, the Regulation does not describe the result to which the risk assessment will lead you. It is likely that successful and effective measures in one company will be irrelevant for another. Only on the basis of the level of risks and the characteristics of a particular threat, you can choose measures for your company.

    So, for example, the risk of transferring a personal data base to a competitor by a bribed employee is not relevant for your company. Moreover, it is likely that the contracting company that processes the data will commit a violation with negative consequences in relation to those who entrusted this data. Your task is to track the implementation of GDPR by the contractors whom you involved in the processing of personal data. You might not have heard about this from a friend from another company (well, what you can hear from us).

    Also popular now: