Even if your company is not located in the EU
The General Data Protection Regulation is a new set of rules amended to the current Data Projection Law that will soon be mandatory for companies dealing with European consumers.
On May 25, 2018, the regulation insists on safeguarding the personal information of all citizens of the member states of the European Union. While many companies are already in line with the specs, it’s important to make sure your business has you covered.
This article takes a look at what you should have in place to avoid being found in violation of the GDPR.
The truth is that these new rules are aimed at large companies that deal with information as a source of income. Smaller companies are unlikely to be penalized with the 4% of global gross revenue or the € 20 million that large corporations will receive if they are found to be in breach.
If you’re worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you are not sure if you will be affected, look for these key signs:
1. Treat the information as a commodity;
2. Requests the user’s data when completing a purchase and uses the data elsewhere or stores it;
3. Deals with one or more European countries.
If the answer is no to both, that’s fine!
So what can you do just in case?
Here are 10 steps your business can take to be better prepared for the GDPR, even if you are not physically located in the EU.
1. If your website has an online form that includes a previously checked box that gives permission to receive promotional emails from third parties, this box should now be unchecked.
2. If your company does any form of list building, make sure everyone on that list has given explicit permission to be on it. According to the Canadian PIPEDA, it was enough to have an implicit permit; however, if any EU residents are in your database, the rules are much stronger and give subscribers the right to obtain the information stored in them.
3. Make sure all your staff are aware of the new rules. Circulate a memo to all staff with a follow-up meeting where points are reviewed. Asking a few questions of key players whose roles would be most affected by the new rules is a great way to make sure they are aware of what to do.
4. Audit all stored customer / customer information and keep track of where it was obtained and where it has been used. Keep a record of all the information and who it was passed to at any time, and document the relationship and reasoning.
5. Update your privacy policy to include the rationale for withholding user data, how it is used legally, and how users can contact your company if they believe their user information is being misused in any way.
6. Have a clear method of handling a user’s data wipe requests. Under the DPA, users already had certain rights, but the GDPR takes it further with information rights related to their data stored by their company.
The rights consist of:
• the right to be informed
• the right of access
• the right to rectification
• the right to erase
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making, including profiling
You should be able to provide all this information in a clear, machine-readable format (not handwritten).
7. Have a process for the delivery of large volumes of requests. Previously, under the DPA, companies had 40 days to fulfill a request. That has been reduced to one month. Any legal request must be honored, however, if there are a large number of requests and the alleged reasoning is to cause problems for your business, these requests can be legally challenged.
8. Make your legal reasoning for withholding user data or passing to others clearly stated to users and make sure the subscription option is not pre-checked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you can share it with. And they should have the option to say no. This is independent of the Terms and Conditions.
9. If your company deals with someone under the age of 16, you will need the permission of a parent or guardian to process the child’s data. This is very important and strictly regulated, but at the same time, if it’s not information like a commodity, you probably don’t have to worry.
10. Take steps to address a data breach. In the event that user data is compromised, you will need to have a way for all affected users to know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.
And that is! As you can see, it is a big business problem and more rooted in user protection in Europe, where social media has been cited as problematic and susceptible to foreign influence.
North America hasn’t really been hit hard, but the issue is still highly newsworthy, which can make some small business owners nervous when it’s not necessary. In saying that, this Small Business BC article https://smallbusinessbc.ca/blog/the-small-business-impact-of-gdpr/ points out some possible seemingly harmless data breaches that could put you at risk of breach, such as submission of greeting cards to customers residing in the EU.
