- Don’t use the paradigm of data ownership – it doesn’t fit. Fundamental rights of data subjects cannot be ‘sold’.
- Don’t think that if you pay database makers to use their databases, you will be excluded from liability in those cases where the provider of the data infringed another right on a previous database. Always critically question the origin of the data you are about to accede, it’s part of the due diligence obligations.
- Don’t try to collect consent for every possible scenario. Broad consent is acceptable, but it cannot be considered a blank check.
- Do not try to influence or nudge individuals into giving you their personal data. Remember to offer participants a real choice.
- Never assume that the data you collected is uncritical. Don’t skip the application of the GDPR because of the pseudonymization of personal data. In most cases it is much easier to re-identify data subjects that you think (e.g., due to advanced technologies which can correlate data from multiple sources and link to a specific person). Only if data is truly anonymized, it is no longer possible to reverse it to personal data.