Even if your business is not located in the EU
The General Data Protection Regulation is a new set of modified rules compared to the current Data Projection Law which will soon be imposed on businesses dealing with European consumers.
On May 25, 2018, the regulation insists on the protection of personal information of all citizens of member states of the European Union. While many companies are already up to spec, it's important to make sure your business has it all covered.
This article looks at what you need to put in place to avoid being found in breach of GDPR.
The truth is, these new rules are aimed at large companies that treat information as a source of income. Small businesses are unlikely to be penalized the 4% of global gross or € 20 million that large companies will make if found to be in violation.
If you're worried about having a mountain of work ahead of you to get ready, you shouldn't be. If you're not sure if you'll be affected, look for these key signals:
1. You treat information like a commodity;
2. You request user data when they complete a purchase and use the data elsewhere or store it;
3. You are dealing with one or more European countries.
If the answer is no to both, you will be fine!
So what can you do just in case?
Here are 10 steps your business can take to best prepare for GDPR, even if you're not physically located in the EU.
1. If your website has an online form that includes a pre-checked box to allow receipt of third-party promotional emails, this box should now be unchecked.
2. If your business does some form of list building, make sure everyone on that list has given explicit permission to be on it. Under Canadian PIPEDA, it was sufficient to have implied permission; however, if EU residents are in your database, the rules are much stricter and give subscribers the right to get the information stored there.
3. Make sure all of your staff are aware of the new rules. Circulate a note to all staff with a follow-up meeting where items are reviewed. Asking a few questions of the key players whose roles would be most affected by the new rules is a great way to make sure that they are aware of what to do.
4. Check all customer / customer information stored and track where you got it from and where it was used. Keep track of every piece of information and to whom you may have passed it on at all times, and document the relationship and reasoning.
6. Have a clear method in place for responding to requests to erase a user's data. Under the DPA, users already had certain rights, but the GDPR goes further with information rights relating to their data stored by your business.
The rights consist of:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right of opposition
• the right not to be subject to automated decision-making, including profiling
You will need to be able to provide all of this information in a clear, machine-readable (not hand-written) format.
7. Have a process in place to handle large volumes of requests. Previously, under the DPA, businesses had 40 days to comply with a request. It was shortened to one month. Any legal request must be satisfied, but if there are a large number of requests and the presumed reasoning is to cause problems for your business, those requests can be legally challenged.
8. Make sure that your legal reasoning for keeping user data or passing it on to others is clearly stated to users and make sure that the opt-out option is not there. not pre-checked or unclear. Users need to have a clear understanding of why you want their data, what you do with it, and who you can share it with. And they must be given the opportunity to say no. This is separate from the terms and conditions.
9. If your company is dealing with someone under the age of 16, you will need the permission of a parent or guardian to process the child's data. This is very important and strictly regulated, but at the same time, if you don't treat information as a commodity, you probably won't have to worry.
10. Take steps to remedy a data breach. In the event that user data could be compromised, you will need to have a way to let all affected users know what has been compromised and when. Having someone internally coordinate the response is a great idea.
And that's it! As you can see, this is a major issue for business and more rooted in user protection in Europe, where social media has been cited as problematic and susceptible to influence. foreign.
North America is not really affected, but the issue is still relevant, which can make some small business owners nervous when they don't need it. . In saying that, this Small Business BC article https://smallbusinessbc.ca/blog/the-small-business-impact-of-gdpr/ points out some potential seemingly harmless data breaches that could put you at risk of a breach, such as sending greeting cards to customers residing in the EU.