GDPR Privacy

Horror Stories in Compliance

GDPR went live in 2018, which would lead people to believe that companies are finally getting their compliance strategies and training right. Sadly, this past week alone I experienced 2 companies failing completely to maintain compliance and with little strategy to regain it.

The first case involved communications with a hardware supplier based out of Germany. I needed to confirm some details for an order and in the message, requested not to be added to any mailing list / newsletter. In a perfect world, the sales rep would have replied with the answers to my enquiry and a simple confirmation no unsollicited sales messages would be reaching me. As you can imagine, my writing about this exchange is due to the situation being ever so slightly different.

Indeed, the sales rep’s reply answered my inquiries and promptly let me know I could unsubscribe from the newsletter through the unsubscribe button at the end of any of the newsletter messages. Now, I have 2 concerns with this reply.

  1. This means that sales reps, who are likely to use a CRM have no control over the data, or lack the training necessary for it.
  2. The CRM is most likely from an external provider, which means any data is now in the hands of a third party without my conscent.

While the external provider generates the highest risk to compliance, it is the lack of control or training which most demonstrates a companies lack of interest to their data governance. Indeed, a company sharing all their data with a 3rd party with no control on what is transfered nor how it is transfered, will have a difficult time obtaining verification that records are deleted by the provider. Furthermore, when a client unsubscribes from the newsletter, the probability of the email adress being removed from the recepients list is minimal compared to that of the adress being placed in a different table, along with those emails generating bounce errors.

The second ocurred after ordering a delivery. The online ordering process was relatively clear, and marketing opt-in was well organised. The order confirmation came through, followed shortly by a receipt/bill for the ordered goods. So far so good, until the next day where… “Welcome to [delivery place]” and “Thank you for ordering with [delivery place]”. Quick scan of the emails showed domain was not spoofed and links were not hiding multiple redirections.

While unsubscribing from the mailing list took all of 2 seconds, the experience demonstrated that this company had completely lost control of their customers’ data, as the emails explicitely mentionned that data was shared with an external CRM and provided links to the CRM’s data privacy policy. All this while explicitely avoiding creating accounts for faster orders in the future and checking no marketting opt-ins were selected.

So, what strategies can users take to avoid these types of issues in the future? Well, for starters using dedicated emails for each service will mean once transactions with any business are finished, the dedicated email can be autoforwarded to trash should any marketting arise from the transactions. The second, is to make any small orders by telephone rather than online, as this is a piece of information requested for online orders anyways.