Recently, we wrote an article about the Facebook Cambridge Analytica scandal and how this story (among dozens of others) has catapulted data privacy into the spotlight. If you’re still wondering what happened there, you can read our article here.
What you may not have been aware of is that the European Union had been working new regulations to protect their citizens’ data for over 6 years. The enforcement date for the GDPR is May 25th, 2018. As a Canadian or US business, even if you’re not explicitly selling to consumers in the Union, your website may collect their personal information and you should be looking to beef up your data protection policy.
What’s the penalty?
Hang on to your hats – the maximum penalty for organizations in breach of the GDPR is up to 4% of total annual global revenue (not profits, not just revenue from Europe), or 20 million Euros.
Scary huh? Companies can be fined 2% of global revenues just for not having proper records in place for how data is collected and processed. UpCounsel shared some cases of privacy breaches where fines could cost up to $600m!
Don’t panic, keep reading.
What are some other key changes?
Consent: companies can no longer use illegible terms and conditions chalk full of jargon pertaining to their data collection and processing policy. Consent must be in clear and plain language.
Right to access: citizens in the EU have the legal right to request access to the exact information you have stored on them. This must be provided free of charge. It can be provided in an electronic format.
Right to be forgotten: citizens in the EU have the right to request that their information is erased entirely from your systems. This includes any third-parties with whom your system communicates with.
Privacy by Design: while this has existed for years now, it’s now law under the GDPR. Privacy by Design states that data privacy should be a core competency of any system designed to store or collect a user’s data. Top examples include data encryption and data minimization (only keeping the data you require, nothing more).
Record Keeping and Data Protection Officers (DPO): it’s now required for all businesses to document their data flows, both internally and externally.
Organizations that engage in large scale systematic monitoring, or those that engage in large scale processing of sensitive personal data, ie. health data, political or religious beliefs, are required to appoint a Data Protection Officer. The DPO’s responsibility is to ensure all operations adhere to the GDPR, and to communicate directly with the local Data Protection Authority (DPA).
What can I do?
Becoming compliant doesn’t have to be a struggle, nor costly. Even if you’re 100% certain that there is no data on EU citizens within your system, it’s a wise choice to strengthen your data protection policy.
- Start by assessing your data privacy and collection policies. Take a good look at your data storage systems such as, email marketing software, CRM systems, website forms, etc.
- Make your GDPR plan and determine the impact that this will have on your business. Identify the new procedures that the plan requires, and begin training your staff.
- Once your plan is complete, you’ll need to document your new GDPR policy.
- Download this sample data protection policy and begin populating it with your own data, then update your website’s privacy policy as well
- These folks in Belgium put together a really simple checklist that you can follow. This checklist isn’t legally exhaustive but it’s a very strong guideline.
- Review your data protection policy with your lawyer to ensure compliance
Edit: WordPress is pretty incredible! You should look to safely update to version 4.9.6 as soon as possible to benefit from all of these great new features: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/
Necessary disclaimer: this should not be mistaken for legal advice. We’re not lawyers. You should talk to your lawyer to ensure your data protection plan is in fact legal.
Need some help?
We’ve already helped dozens of clients comply with the Accessibility for Ontarians with with Disabilities Act (AODA), and Canada’s Anti-Spam Legislation (CASL). To further our professional approach, we’re helping our clients update their websites, social media channels, email marketing software, CRM systems, and all other digital marketing channels to comply with data protection policy.
Contact us to get started on your Data Protection Audit!