GDPR is now firmly implemented across the EU and although the new law only affects its citizen’s data, the impact of the law is being felt worldwide. If you are an organisation in Canada that offers goods or services to EU citizens, you are now expected to comply with GDPR, even if you do not have a physical presence there. Therefore, businesses in Canada who collect and process personal data from the EU should ensure that they are compliant with the regulation.
The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that came into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries. It gives greater protection and rights to individuals and is the biggest change to European Data privacy laws in over 20 years.
If you do business with customers or clients in the EU, by law you have to be compliant with GDPR. If you fail to comply, you will face heavy fines. To understand what these check out our GDPR Infographic – Non-Compliance and Penalties here.
If you are not currently doing business in Europe, adopting the GDPR guidelines is a positive step forward for all businesses. The reason for this is that internet businesses operate on the global stage and it will be easier to update terms and conditions on your website to meet the most stringent requirements across all the countries you operate in, instead of having separate policies for separate countries or regions.
Simple steps to help you with GDPR
Create a list
Create a list detailing all the places online where you ask people for personal identifiable information. The best place to start is your website. Do you ask them for their names, email addresses or credit card information? Then look at any online forms or sales funnels, comment collection boxes, any email marketing sign-ups or e-commerce points are all potential collection points to take into consideration.
Moving on from the collection points, you need to think about where you are storing this information. Your CRM database or email marketing lists that contain a high volume of sensitive data. You need to ask yourself, did we get permission to collect this information in the first place? Have they given us their explicit consent? You will need to keep a record of that consent given to use in sales and marketing campaigns? The Canadian Anti-Spam Law allows companies to market to customers for up to two years after they have received implied consent. Whereas GDPR is explicit consent only.
How do you track website visitors?
Businesses use tracking tools such as cookies, web beacons or pixels to allow the web browser to remember information about the website visitors browsing session. Information about what device they used, their location and what pages they have visited. This information is PII data and as such you will have to inform visitors from the EU.
GDPR states that it is not enough to have passive consent for the use of cookies. Websites are now creating pop-ups with a warning for visitors that cookies are in use on the site, “If you continue to this website, you agree to our terms and conditions”. This allows the visitor the option to disable the cookie in their browser or they can leave the site if they do not want to be tracked.
Canada -Update your privacy planAs soon as you understand what PII you are collecting and where it is coming from, you can move on to the next stage. You need to create a detailed plan to protect that data and keep it secure from potential cyber threats. There is also a clear need to be able to keep it safe, share that private information or delete it if it’s requested through a SAR or a Right to Erasure. Also, to meet the requirements under GDPR if you were to suffer a data breach you would have to put measures in place to report it to the regulators and the data subject.
The creation of new plans will need to be communicated throughout the organization. New procedures and processes may need to be rolled out to make employees aware of how to handle the sensitive information and make sure they are aware of what the privacy policies are. Depending on your level of data collection your organization may need to appoint a Data Protection Officer (DPO).
Clearly State your Privacy Policy
After you have completed all of the above and you have a new privacy policy, it will need to be prominently displayed on your website. Create a separate page on your site and link the privacy policy to your sitemap or page footer so it can be easily referenced. The GDPR mandates the policy be written in easily readable language and be clear and concise in informing visitors what information you intend to collect, how you intend to collect it, why its necessary to collect it and how you intend to secure it. It also needs to outline if the data is ever shared with third parties and how someone can get in touch with you to accesses the data you have stored on them to request access to it or delete it.
As the privacy landscape continues to change worldwide and in Canada, businesses need to keep abreast of their data privacy policies and their impact.