GDPR Compliant Data Storage: 7 Surprising Places to Check
As most privacy experts will know, the GDPR deals with how you collect, process, and store customer data. Most practical GDPR tips focus on data collection and processing. For instance, it’s always important to collect consent immediately, and then to ensure that you honor that consent during your marketing efforts. But it’s easy to overlook that the GDPR also dictates how you store that data—and you store data in more places than you may realize at first. Maintaining GDPR compliant data storage is absolutely critical.
GDPR Compliant Data Storage Methods to Audit
Wherever your customers’ data ends up, if it falls under GDPR jurisdiction, you have to make sure that you handle it legally. Where does your company store collected customer data? A few examples include:
- Marketing automation platforms: This one is obvious. Marketing software such as Oracle Eloqua, Marketo, or Marketing Cloud contains customer information by necessity to execute marketing campaigns.
- Customer relationship management database: Your CRM database will obviously contain a massive amount of customer data. However, with features that allow you to search by contact, it should be easier to locate a particular customer’s information for GDPR purposes.
- Company data backups: This one is also obvious. More than likely, your company’s data backups contain some customer data. The trick here is to develop a data retention policy that follows GDPR requirements and honors your customers’ wishes.
- Customer service databases: While not directly related to marketing, you’ll pull information from this database if a customer submits a DSAR.
- Third party service providers: Any third parties involved in your marketing process will almost certainly hold some of your customers’ data. Take the time to review your agreements with third parties to see if they must be edited to comply with the GDPR.
- Website analytics: Your analytics may not capture information like names or addresses. However, even otherwise anonymous information such as IP addresses can be used to identify a person if paired with even a small amount of other data. This anonymous data is thus technically covered by GDPR requirements.
- Chatbot logs: If your website uses a chatbot, AI assistant, or similar tools, its conversation logs almost certainly have private data from customer discussions. Sometimes a customer will even use a chatbot to do the equivalent of filling out a form. Make sure to encrypt your chatbot records and treat them with as much care as you would any other form of private data.
Why This Matters
One of the privacy rights enshrined in the GDPR is the right to be forgotten. On hopefully rare occasions, customers will request that you delete any and all data you’ve collected from them. That requires a significant amount of searching. Overlooking any data could subject you to significant fines if the customer challenges you or learns you’re still holding onto their information. The GDPR doesn’t care if you made a mistake or not. You’ll still be fined.
Knowing exactly where to find all GDPR-relevant customer data can reduce your risk of fines. Start with the most obvious places to look, like your marketing automation software setups. But don’t stop there. Anywhere you could find customer data—even theoretically anonymized data—should be on your checklist.
The only possible exception is if you’re keeping a record of customers who had submitted right-to-be-forgotten requests. 4Comply’s legal activities record has a section dedicated to this. However, this record of forgotten customers must follow several common-sense measures:
- It must contain only the minimum amount of data required to identify the person in question.
- It must be accessible only to authorized viewers (i.e., the Data Privacy Officer or legal team).
- It must exist solely for the purpose of proving that you’ve forgotten a customer in the event of a legal challenge. Lifting data from this record for marketing purposes is disrespectful to your customers and unlawful.
Make Data Tracking Easy
A data audit is a massive project for any company. Why tackle it alone? Our expert team is ready to help you bring your data management game up to speed with privacy laws. And once your audit is complete, keep your momentum going with 4Comply to stay up-to-date with changing requirements and streamline your long-term data management. Make it easy to maintain GDPR compliant data storage.
Interested? Get in touch with us to schedule an audit or request a free demo of 4Comply today.