Too long; didn't read summary

On May 25, 2018 something big is coming at us all from Europe. If you don’t know about it, you probably should – and now!

  • If you are compliant with Canadian Privacy Standards of PIPIDA and CASL, then you are already in a very good starting place.
  • This only applies to you if you have customers, employees, or prospects in the EU.
  • If it does apply to you, you must comply or face potential fines.
  • Be transparent and intentional about your use of personal information – including cookies.
  • You don’t have to have a ‘cookie pop-up’, but that might change next year.

What is it and does it apply to you?

On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect to protect the privacy of people living in the EU.  It applies to companies in and outside the EU which hold information about people living in the EU.

It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it.  As well as what can happen if you don’t.

This new law will matter to you if you company has any of the following:

  • employees in the EU or EU applicants for job vacancies;
  • customers in the EU;
  • mailing lists or newsletter subscribers with EU members;
  • market research involving or tracking activity of EU residents;
  • future plans or potential for any of these activities.

(Psst, here’s a list of 28 countries in the EU, as we couldn’t remember them all either!)

Answering yes to any of these questions means the GDPR could apply to your company’s activities, starting with information you have or obtain through your website.

It’s not enough just to know about the new law. We think you need to care about it as well. Here are a few reasons why.

  1. The EU is serious about doing this. This new regulation will be a law which each EU country has to introduce. It’s mandatory, not just encouraged.
  2. The EU is very serious about enforcing the new law. The fines are huge: up to €20m or 4% of annual turnover (whichever is higher).
  3. There is no phase-in period. From the start there is no limit on company size which means the fines can affect small startups as much as large corporates.

It’s also important for you to know a bit more about the spirit of the law and the different approach to privacy issues that it reflects.

Before the GDPR was introduced, each of the 28 countries had its own separate data protection laws, which were based on how each understood guidance from the EU. The result of this was “confusion” according to the official response. The non-official response was not as polite or restrained. The new law, agreed on by 28 different governments, not only addresses the way personal information is obtained, handled and processed, it also goes much further than data protection laws typically do. We’ve set out the major differences from what we’ve seen before.

It’s not just technical compliance. It’s compliance in everything you do.

The new law isn’t just about the technical side of personal information. Only 8 of the 99 sections or articles in the law deal with technology relating to personal information. The law deals with all activities relating to the information from storage and security all the way to marketing activity. The law is aimed at getting companies to build a privacy foundation for everything they do, so that it is part of the way business is carried out in general.

The “personal information” it applies to covers more than you might expect.

It includes any information related to a person or that can be used to directly or indirectly identify the person. This is anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

“Passing the Buck” won’t work here either.

If the information was provided to you, you must look after it, wherever it is. And this is going to be messy – for everyone. One study reported that more than 60% of CIOs surveyed globally said that their IT organizations have less than half of corporate data under their control.

Say Goodbye to the Small Print.

Do you have some of those small print terms & conditions or consent forms on your website that everyone can just “click” to accept? Say goodbye to them.

Consent is going to be treated in a much tougher way. Any request for consent – which will be relevant to any information you get – has to be easily accessible and understood. The purpose the information is being provided must also be clear.

Consent must also be easy to withdraw and people will have the right to be “forgotten” which means they can ask for their personal data to be deleted, as well as where it is being stored. Gone are the days of using lists of email addressed obtained elsewhere.

The GDPR Diet – you can still have cookies, just but don’t be sneaky about them.

GDPR does not specifically require you to secure ‘express consent’ for the use of cookies, and therefore you can continue to use cookies and retargeting pixels if you have the user’s implied consent. So that means that you must have a transparent and accurate cookie policy, that should be available from every page of your website. But you do not necessarily have to have a ‘cookie pop-up’ that secures a users understanding and consent to your use of cookies.

At least, not yet. This is scheduled to be revisited in 2019, so stay tuned for updates.

You will be required to do the right thing.

Security breaches, which are unauthorised access to the information and Privacy breaches, which are unauthorised collection, sharing or movement of data must be reported to EU authorities and to the people whose information was affected, And it has to be quick – within 72 hours to authorities and “without undue delay” to the individuals.

The biggest change is the broader focus on privacy of information. It’s not just a security issue anymore, but security is still an important part.

The new law focuses on privacy, throughout the full cycle from collecting or obtaining the information, through its use, sharing, storage and transfer. Security is only part of the privacy process.

What you should do next.

Whether or not you think GDPR will definitely apply to your company, its principle of considering privacy issues in relation to all that your business does is appropriate.

For GDPR compliance specifically, you should probably start with a data inventory to determine what data you, and whether it includes data is associated with European-based people, and where this data is located. And then keep doing that, so that if you are compliant, you stay compliant. You should make sure that someone takes the responsibility for this task.

It sounds simple enough, but it might not be easy, and this is not something that a new program or app can be used to make you compliant. At this time, the EU cannot certify that any company is compliant – and neither can anyone trying to sell you a process. A process can help you. It can’t do it alone however.

This presents an opportunity, not an obligation. The companies that understand and respond early to the higher priority of privacy will see the benefits in their relationship with their customers.

To look at this as only a security and compliance might put the issue under a negative light, which would be a mistake. Everyone should care about and be aware of the principles behind the new law, at every level and in every discipline. After all, it’s your privacy too.

We see the opportunity for companies to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data, which makes this a very good thing, particularly if it enables stronger relationship building and the basis for more equality and trust between businesses and their customers.

With respect to the GPDR, we’ve only scratched the surface and there are many more GDPR Resources available, which provide the technical details. You should check them out and here are a few to start with: