Mishandling customer data has never been good for business, and it became an even more serious issue when the EU’s General Data Protection Regulation (GDPR) went into effect in May 2018. Companies that fail to comply with GDPR requirements, which include strictly limiting access to customers’ Personally Identifiable Information (PII), face fines of up to 4 percent of their total annual global turnover — a provision that’s already resulted in hundreds of millions in penalties for some major global firms. 

Despite the high potential costs, however, only 28 percent of companies said they were fully compliant with the GDPR as of September 2019. Many businesses have invested heavily in technology designed to automate consent tracking (for data collection and email marketing) and customer-initiated data access and redaction — but data leakage is still a big problem, and human error is a leading cause. According to the UK’s Information Commissioner’s Office (ICO), human error was responsible for 88 percent of data breaches in the UK during the past two years, and a 2018 report from data security firm Netwrix concluded that “insiders who make mistakes are more dangerous than hackers”.  

What do these errors look like? And how do you know if you’re unwittingly compromising customer data? Here are three easy-to-make mistakes you should watch out for. 

#1: Leaving old or unwanted analytics tags on your site

The average enterprise website uses as many as 150 third-party tags to capture customer data and implement marketing automation workflows. Data collection and usage through these tags can be covered under your privacy policy and consent notices — but only if you know it’s happening. Tags can easily be installed and then forgotten as priorities shift and  employees come and go, and piggyback tagging (one tag invoking another) can also result in the addition of dozens of tags without the website owner’s knowledge. 

If you don’t have a comprehensive picture of the data your tags are collecting, where it’s stored, and how it’s used, you can’t possibly provide security or transparency for your customers as required under the GDPR. Avoiding this problem is as simple as running regular tag audits and removing anything you didn’t authorize or no longer use. 

#2: Misdelivering or mis-personalizing emails

Email is an extremely common and often-overlooked vector for data leakage. One of the most serious issues is misdelivery, in which an email containing customer PII is sent to the wrong recipient. According to a 2018 report, misdelivery accounts for around 62% of human error data breaches in healthcare, and it’s a big problem in other industries, as well. 

Misdelivery can occur on a small scale in one-to-one emails, but it’s truly catastrophic in a one-to-many scenario such as a large email marketing campaign. If you personalize your marketing emails in any way, it’s imperative that you have a systematic error-checking process in place, as even basic information such as a username or birthdate could be considered sensitive under the right circumstances.  

#3: Tracking email activity without customer consent

Email opens, clicks, and forwards are basic performance metrics for email marketing professionals. These numbers tell us “how our email did” — but it’s easy to forget that they also tell us what our customers did. Email tracking is data about customer behavior, and thus governed under the GDPR

If you routinely include tracking code in your marketing emails, you’ll need your customers (or at a minimum any customers based in the EU) to opt in to email tracking. It’s also a good idea to make sure you understand exactly what you’re tracking and where the data is stored, and to routinely scan your emails for any new or unwanted tracking scripts added by your marketing software. 

Of course, these are far from the only human errors that could compromise your GDPR compliance, but even this short list illustrates the very real risks — and the fact that basic infrastructure is only the first step. To avoid steep penalties under the GDPR (and similar laws, such as California’s recently-enacted CCPA) companies will need to commit to ongoing investment in employee education, training, and automated system monitoring.