Top 5 Questions to Ask of your Data Supplier to Ensure GDPR Compliance, Avoid Millions in Fines

Is your B2B contact data affected by GDPR? How deep do you need to track compliance in your data vendors? Are you a controller or a processor? How much of your worldwide revenue is at risk? Read on to get more context and learn the 5 most important questions to ask your Data Supplier.

GDPR in a Nutshell

The GDPR is the strongest global privacy law in effect today, and was created to regulate how organizations collect, handle, and protect personal data of EU residents. GDPR was designed to strengthen privacy rights by giving data subjects (defined as any person formally residing in the EU who has their data collected, held, or processed by a controller or processor) control of how their personal data is obtained, used and shared.

Cookies, Privacy Notices, Data Breaches and More

What do Google, British Airways, H&M and Marriott all have in common? They all received fines in excess of €10,000,000 for GDPR violations relating to personal data, and affecting upwards of 383 million customer records.

What Went Wrong?

In the case of Amazon, the largest fine to date, it attempted to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. Lesson learned? Obtain “freely given”, informed, and unambiguous opt-in consent before setting cookies on users’ devices.
WhatsApp’s somewhat opaque privacy notice was their downfall. The company should have provided privacy information in an easily accessible format using language its users could quickly understand.
Google’s cookie policy was fundamentally flawed. Under the GDPR, consent must be “freely given” – equally easy to accept or refuse. If you can accept with one click, you should also be able to refuse with one click.
H & M violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.
In the case of British Airways and Marriott, breaches were preventable. Neither company had sufficient security measures in place to protect their systems, networks, and data. In fact, British Airways lacked the basics, such as multi-factor authentication, at the time of the breach. Taking a security-first approach, investing in security solutions, and ensuring strict data privacy policies and procedures are in place are fundamental to GDPR compliance.

Want to learn more, schedule a demo or take advantage of our free trial?

Generally speaking, there are two types of parties that have are sponsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine whether you are acting as a controller or a processor and understand your responsibilities accordingly.

Data Controller

A data controller determines the purposes, conditions, and means of the use of personal data.

Data Processor

A data processor on the other hand only acts on the instructions of the “controller” and processes personal data on their behalf.

Any reseller of data becomes the controller in relation to the customer’s data.

Here’s the thing: You can’t be GDPR compliant if you don’t start GDPR compliant.

It goes without saying that the core of a successful marketing strategy is strong data. What do we mean by strong? Clean, accurate, comprehensive, and, most importantly, compliant.

What is critical is understanding the nuances of firstparty and third-party data to leverage each in a way that allows you to serve relevant messages and content to your target audiences. As privacy laws crack down on third-party data, it will soon become more difficult for marketers to deliver on their goals.

First party data refers to the data collected through your own marketing campaigns when people voluntarily give you their information in exchange for your offer.

In contrast, third party data is collected from sources other than your own. Unlike first-party, it’s not restricted to only those who have already shown interest in your company. The primary advantage of using third-party data is that it expands your universe of prospects providing incremental target customers who may not have heard of your solutions, or may even be interested in your competitors. There are restrictions that come with using third-party data, particularly around privacy. GDPR regulation requires a controller to comply with one of six legal bases to acquire and process a prospect’s data.

Before acquiring a contact list or a database with contact details of individuals from another organization, that organization must be able to demonstrate that the data was obtained in compliance with the GDPR, and that it may use it for marketing purposes. If the organization processes the data based on legitimate interest, the data subject must have been notified (see ‘Right to be Informed’ below) about that processing, its purpose and informed of their rights. So what does that all mean? It’s crystal clear.

Trusting your Data Provider: Top 5 Questions to ask of your Data Supplier to ensure GDPR Compliance

Generally speaking, there are two types of parties that have a responsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine whether you are acting as a controller or a processor and understand your responsibilities accordingly.

Does the vendor have the right processes in place?
How will / does the vendor help to respond to Data Subject rights requests?
Does the vendor provide privacy impact assessments?
Is the vendor implementing the GDPR ‘security principle’, by applying ‘appropriate technical and organisational measures’?
Does the vendor know all the types of customer data they are collecting, and how long are they storing it for?

Top 5 Questions to Ask of your Data Supplier to Ensure GDPR Compliance, Avoid Millions in Fines