Even if your company is not located in the EU

The General Data Protection Regulation is a new set of rules amended from the current Data Protection Law that will soon become mandatory for companies dealing with European consumers.

On May 25, 2018, the regulation insists on safeguarding the personal information of all citizens of the member states of the European Union. While many companies are already aligned to the specifications, it’s important to make sure your company has everything covered.

This article takes a look at what you need to have in place to avoid being found in violation of the GDPR.

The truth is that these new rules are aimed at large companies that trade information as a source of income. Smaller companies are likely not to be penalized 4% of the global gross or €20m than large corporations if found in violation.

If you’re worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you’re not sure if you’ll be affected, look for these key signs:

1. You trade information as a commodity;

2. Request user data when you complete a purchase and use the data elsewhere or store it;

3. You have dealings with one or more European countries.

If the answer is no to both, then you’ll be fine!

So what can you do just in case?

Here are 10 steps your business can take to be better prepared for GDPR, even if you’re not physically located in the EU.

1. If your website has an online form that includes a pre-checked box giving permission to receive promotional emails from third parties, this box should now be un-checked.

2. If your business does any type of list building, make sure everyone on that list has given explicit permission to be on it. Under the Canadian PIPEDA, it was enough to have an implied permission; however, if there are EU residents in your database, the rules are much stronger and give subscribers the right to obtain the information stored in them.

3. Make sure all your staff are aware of the new rules. Circulate a memo to all staff with a follow-up meeting where points are reviewed. Asking the key players whose roles would be most affected by the new rules a few questions is a great way to make sure they are aware of what to do.

4. Audit all stored client/customer information and keep track of where you got it and where it has been used. Keep track of every bit of information and to whom it was passed on at any time, and document the relationship and reasoning.

5. Update your privacy policy to include why user data is retained, how it is used legally, and how users can contact your company if they feel their user information is being used improperly improper.

6. Have a clear method for dealing with requests to delete a user’s data. Under the DPA, users already had certain rights, but the GDPR goes further with information rights related to their data stored by your company.

The rights consist of:

• the right to be informed

• the right of access

• the right to rectification

• the right to delete

• the right to restrict processing

• the right to data portability

• the right to object

• the right not to be subject to automated decision making, including profiling

You will need to be able to provide all of this information in a clear, machine-readable (not handwritten) format.

7. Have a process for submitting large volumes of applications. Previously, under the DPA, companies had 40 days to comply with a request. That has been shortened to one month. Any legal request must be honored, although if there are a large number of requests and the suspected motive is to cause problems for your business, these requests can be legally challenged.

8. Have your legal reason for retaining user data or passing it on to others clearly indicated to users and make sure the opt-in option is not pre-ticked or unclear. Users need to have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they should have the option to say no. This is separate from the Terms and Conditions.

9. If your business deals with anyone under the age of 16, you will need the permission of a parent or guardian to process the child’s data. This is very important and strictly regulated, but at the same time, if you’re not treating the information like a commodity, you probably don’t need to worry.

10. Have measures to deal with a data breach. In the event user data is compromised, you’ll need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.

And that is! As you can see, it’s a big business issue and one more entrenched in user protection in Europe, where social media has been cited as problematic and susceptible to foreign influence.

North America isn’t affected much, but the issue is still highly newsworthy, which can make some small business owners nervous when it’s not necessary. In saying that, this Small Business BC article https://smallbusinessbc.ca/blog/the-small-business-impact-of-gdpr/ points out some seemingly harmless potential data breaches that could put you at risk of breach, such as Shipping of greeting cards to customers living in the EU.