Are you ready for GDPR?

Posted by John Brookes on Feb 20, 2018 11:22:00 AM


 The EU is getting serious about privacy. Maybe you should too.  

The good news; if you are compliant with Canadian Privacy Standards of PIPIDA and CASL, then you are already in a very good starting place, and are likely compliant. 

Key Takeaways:

  • This only applies to you if you have customers, employees, or prospects in the EU. 
  • If it does apply to you, you must comply or face potential fines. 
  • Be transparent and intentional about your use of personal information - including cookies. 
  • You don't have to have a 'cookie pop-up', but that might change next year. 
  • Confirm your compliance, and start with our Privacy Checklist


On May 25th something big is coming at us all from Europe. 
If you don’t know about it, you probably should – and now!

On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect to protect the privacy of people living in the EU.  It applies to companies in and outside the EU which hold information about people living in the EU.  

It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it.  As well as what can happen if you don’t.

This new law will matter to your company if it does or has any of the following:

  • employees in the EU or EU applicants for job vacancies
  • customers in the EU?
  • mailing lists or newsletter subscribers with EU members;
  • market research involving or tracking activity of EU residents;
  • or any plans or potential for any of these activities.

Basically, have you heard of the EU?  Here’s a list of 28 countries in the EU, as we couldn’t remember them all either!  

A yes to any of these questions means the GDPR could apply to your company’s activities, starting with information you have or obtain through your website.

This time, it's not enough just to know about the new law. We think you need to care about it as well. We’re going to give you a few reasons why.

It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it.  As well as what can happen if you don’t

Just because a particular law applies to you, you might not think you need to pay attention or care. We think the situation is different this time; you probably will as well for three reasons.

  1. The EU is serious about doing this. This new regulation will be a law which each EU country has to introduce. It’s mandatory, not just encouraged
  2. The EU is very serious about enforcing the new law. The fines are huge as we already mentioned, and we’ll say again: up to €20m or 4% of annual turnover (whichever is higher).
  3. There is no phase-in period. From the start there is no limit on company size which means the fines can affect small startups as much as large corporates.

We hope you’re still reading.  At this point, you probably fall into one of two categories.

  1. You knew about GPDR already; or
  2. You didn’t, and now you really wish you were in category 1

We didn’t want to just get your interest and leave it there. It’s also important for you to know a bit more about why this new law was needed and the different approach to privacy issues that it reflects.

Whether you are category 1 or 2, there is more that will help you understand why this new law made by (28) foreign governments, was needed and how it’s different from what we might be used to in relation to personal data and information.

Before the GDPR was introduced each of the 28 countries had its own separate data protection laws, which were based on how each understood guidance from the EU. The result of this was “confusion” according to the official response. The non-official response was not as polite or restrained. The new law not only addresses the way personal information is obtained, handled and processed, it also goes much further than data protection laws typically do. We’ve set out the major differences from what we’ve seen before

It’s not just technical compliance. It’s compliance in everything you do.

The new law isn’t just about the technical side of personal information. Only 8 of the 99 sections or articles in the law deal with technology relating to personal information. The law deals with all activities relating to the information from storage and security all the way to marketing activity. The law is aimed at getting companies to build a privacy foundation for everything they do, so that it is part of the way business is carried out in general.

The “personal information” it applies to is a bit more than we’re used to

GDPR’s definition of personal information covers more than you might expect. 

It includes any information related to a person or that can be used to directly or indirectly identify the person. This is anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

"Passing the Buck” won’t work here either.

If the information was provided to you, you must look after it, wherever it is. And this is going to be messy – for everyone. One study reported that more than 60% of CIOs surveyed globally said that their IT organizations have less than half of corporate data under their control. So everyone is going to be looking.

Say Goodbye to the Small Print.

Do you have some of those small print terms & conditions or consent forms on your website that everyone can just “click” to accept. Say goodbye to them.

Consent is going to be treated in a much tougher way. Any request for consent – which will be relevant to any information you get – has to be easily accessible and understood. The purpose the information is being provided must also be clear.

Consent must also be easy to withdraw and people will have the right to be “forgotten” which means they can ask for their personal data to be deleted, as well as where it is being stored. Gone are the days of using lists of email addressed obtained elsewhere.

The GDPR Diet - you can still have cookies, just but don't be sneaky about them.

GDPR does not specifically require you to secure 'express consent' for the use of cookies, and therefore you can continue to use cookies and retargeting pixels if you have the user's implied consent. So that means that you must have a transparent and accurate cookie policy, that should be available from every page of your website. But you do not necessarily have to have a 'cookie pop-up' that secures a users understanding and consent to your use of cookies. 

At least, not yet. This is scheduled to be revisited in 2019, so stay tuned for updates. 


 Is your organization a good custodian of your customers' privacy? 
Not sure? 

Download Our Free Privacy Checklist


You have to be a tattle tale – even about yourself

Security breaches, which are unauthorised access to the information and Privacy breaches, which are unauthorised collection, sharing or movement of data must be reported to EU authorities and to the people whose information was affected, And it has to be quick - within 72 hours to authorities and “without undue delay” to the individuals.

The biggest change is the broader focus on privacy of information. It’s not just a security issue anymore, but security is still an important part.

The new law focuses on privacy, throughout the full cycle from collecting or obtaining the information, through its use, sharing, storage and transfer. Security is only part of the privacy process.

Now that you’ve heard of GDPR, what should you do next.

Whether or not you think GDPR will definitely apply to your company, its principle of considering privacy issues in relation to all that your business does is appropriate.

For GDPR compliance specifically, you should probably start with a data inventory to determine what data you, and whether it includes data is associated with European-based people, and where this data is located. And then keep doing that, so that if you are compliant, you stay compliant. You should make sure that someone takes the responsibility for this task.

It sounds simple enough, but it might not be easy, and this is not something that a new program or app can be used to make you compliant. At this time, the EU cannot certify that any company is compliant – and neither can anyone trying to sell you a process. A process can help you. It can’t do it alone however.

This presents an opportunity, not an obligation. The companies that understand and respond early to the higher priority of privacy will see the benefits in their relationship with their customers.

To look at this as only a security and compliance might put the issue under a negative light, which would be a mistake. Everyone should care about and be aware of the principles behind the new law, at every level and in every discipline.

We see the opportunity for companies to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data, which makes this a very good thing, particularly if it enables stronger relationship building and the basis for more equality and trust between businesses and their customers.

We’ve been thinking about privacy issues for a while and have developed a privacy compliance checklist that you might find useful.

With respect to the GPDR, we’ve scratched the surface and there are many more GDPR Resources available, which provide the technical details. You should check them out and here are a few to start with:

General Data Protection Regulation full text: 

GDPR Official Site FAQ:

Microsoft webinar – “How to Accelerate Your Journey to Compliance” (Nov 16):


Find out if your organization is doing a good job of managing privacy concerns. 

Download Our Free Privacy Checklist


Topics: Strategy, Privacy


Follow along as we scour the internet and bring you the best and most relevant updates on all things digital.

Subscribe to Email Updates

Recent Posts