The EU is getting serious about privacy. Maybe you should too.
The good news; if you are compliant with Canadian Privacy Standards of PIPIDA and CASL, then you are already in a very good starting place, and are likely compliant.
- This only applies to you if you have customers, employees, or prospects in the EU.
- If it does apply to you, you must comply or face potential fines.
- Be transparent and intentional about your use of personal information - including cookies.
- You don't have to have a 'cookie pop-up', but that might change next year.
- Confirm your compliance, and start with our Privacy Checklist
On May 25th something big is coming at us all from Europe.
If you don’t know about it, you probably should – and now!
On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect to protect the privacy of people living in the EU. It applies to companies in and outside the EU which hold information about people living in the EU.
It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it. As well as what can happen if you don’t.
This new law will matter to your company if it does or has any of the following:
- employees in the EU or EU applicants for job vacancies
- customers in the EU?
- mailing lists or newsletter subscribers with EU members;
- market research involving or tracking
activityof EU residents;
- or any plans or potential for any of these activities.
Basically, have you heard of the EU? Here’s a list of 28 countries in the EU, as we couldn’t remember them all either!A yes to any of these questions means the GDPR could apply to your company’s activities, starting with information you have or obtain through your website.
This time, it's not enough just to know about the new law. We think you need to care about it as well. We’re going to give you a few reasons why.
It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it. As well as what can happen if you don’t
Just because a particular law applies to you, you might not think you need to pay attention or care. We think the situation is different this time; you probably will as well for three reasons.
- The EU is serious about doing this. This new regulation will be a law which each EU country has to introduce. It’s mandatory, not just encouraged
- The EU is very serious about enforcing the new law. The fines are huge as we already mentioned, and we’ll say again: up to €20m or 4% of annual turnover (whichever is higher).
- There is no phase-in period. From the
startthere is no limit on company size which means the fines can affect small startups as much as large corporates.
We hope you’re still reading. At this point, you probably fall into one of two categories.
- You knew about GPDR already; or
- You didn’t, and now you really wish you were in category 1
We didn’t want to just get your interest and leave it there. It’s also important for you to know a bit more about why this new law was needed and the different approach to privacy issues that it reflects.
Whether you are category 1 or 2, there is more that will help you understand why this new law made by (28) foreign governments, was needed and how it’s different from what we might be used to in relation to personal data and information.
Before the GDPR was introduced each of the 28 countries had its own separate data protection laws, which were based on how each understood guidance from the EU. The result of this was “confusion” according to the official response. The non-official response was not as polite or restrained. The new law not only addresses the way personal information is obtained, handled and processed, it also goes much further than data protection laws typically do. We’ve set out the major differences from what we’ve seen before
It’s not just technical compliance. It’s compliance in everything you do.
The new law isn’t just about the technical side of personal information. Only 8 of the 99 sections or articles in the law deal with technology relating to personal information. The law deals with all activities relating to the information from storage and security all the way to marketing activity. The law is aimed at getting companies to build a privacy foundation for everything they
The “personal information” it applies to is a bit more than we’re used to
It includes any information related to a person or that can be used to directly or indirectly identify the person. This is anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
"Passing the Buck” won’t work here either.
If the information was provided to you, you must look after it, wherever it is. And this is going to be messy – for everyone. One study reported that more than 60% of CIOs surveyed globally said that their IT organizations have less than half of corporate data under their control. So everyone is going to be looking.
Say Goodbye to the Small Print.
Do you have some of those small print terms & conditions or consent forms on your website that everyone can just “click” to
Consent must also be easy to withdraw and people will have the right to be “forgotten” which means they can ask for their personal data to be deleted, as well as where it is being stored. Gone are the days of using lists of email addressed obtained elsewhere.
The GDPR Diet - you can still have cookies, just but don't be sneaky about them.
At least, not yet. This is scheduled to be revisited in 2019, so stay tuned for updates.
Is your organization a good custodian of your customers' privacy?
You have to be a
tattle tale – even about yourself
Security breaches, which are unauthorised access to the information and Privacy breaches, which are unauthorised collection, sharing or movement of data must be reported to EU authorities and to the people whose information was affected, And it has to be quick - within 72 hours to authorities and “without undue delay” to the individuals.
The biggest change is the broader focus on privacy of information. It’s not just a security issue anymore, but security is still an important part.
The new law focuses on privacy, throughout the full cycle from collecting or obtaining the information, through its use, sharing, storage
Now that you’ve heard of GDPR, what should you do
For GDPR compliance specifically, you should probably start with a data inventory to determine what data you, and whether it includes data is associated with European-based people, and where this data is located. And then keep doing that, so that if you are compliant, you stay compliant. You should make sure that someone takes the responsibility for this task
This presents an opportunity, not an obligation. The companies that understand and respond early to the higher priority of privacy will see the benefits in their relationship with their customers.
To look at this as only a security and compliance might put the issue
We see the opportunity for companies to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data, which makes this a very good thing, particularly if it enables stronger relationship building and the basis for more equality and trust between businesses and their customers.
We’ve been thinking about privacy issues for a while and have developed a privacy compliance checklist that you might find useful.
With respect to the GPDR, we’ve scratched the surface and there are many more GDPR Resources available, which provide the technical details. You should check them out and here are a few to start with:
Find out if your organization is doing a good job of managing privacy concerns.