TL;DR
Too busy to read the whole blog? No problem. We've summarized the highlights below.
On May 25th something big is coming at us all from Europe. If you don’t know about it, you probably should – and now!
- This only applies to you if you have customers, employees, or prospects in the EU.
- If it does apply to you, you must comply or face potential fines.
- Be transparent and intentional about your use of personal information – including cookies.
- You don’t have to have a ‘cookie pop-up’, but that might change next year.
The EU is getting serious about privacy. You should too.
The good news; if you are compliant with Canadian Privacy Standards of PIPIDA and CASL, then you are already in a very good starting place, and are likely compliant.
On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect to protect the privacy of people living in the EU. It applies to companies, no matter where they are located, who hold information about people living in the EU.
It might be a foreign law, but there are many reasons to pay attention and understand how it applies and what countries around the world have to do about it. As well as what can happen if you don’t.
This new law will matter to your company if it does or has any of the following:
- employees in the EU or EU applicants for job vacancies
- customers in the EU
- mailing lists or newsletter subscribers with EU members
- market research involving or tracking activity of EU residents
- or any plans or potential for any of these activities.
(Here’s a list of 28 countries in the EU, as we couldn’t remember them all either!)
It might be a foreign law, but there are many reasons to pay attention, understand how it applies to you and what countries around the world must do about it. As well as what can happen if you don’t.
This time, it’s not enough just to know about the new law. We think you need to care about it as well. We’re going to give you three reasons why.
- The EU is serious about doing this. This new regulation will be a law which each EU country has to introduce. It’s mandatory, not just encouraged.
- The EU will be enforcing the new law. The fines are huge as we already mentioned, and we’ll say again: up to €20m or 4% of annual turnover (whichever is higher).
- There is no phase-in period. From the start there is no limit on company size which means the fines can affect small startups as much as large corporates.
That’s not all. It’s also important for you to know a bit more about why this new law was needed and the different approach to privacy issues that it reflects.
There is more that will help you understand why this new law, made by (28) foreign governments, was needed and how it’s different from what we might be used to in relation to personal data and information.
Before the GDPR was introduced each of the 28 countries had its own separate data protection laws, which were based on how each understood guidance from the EU. The result of this was “confusion” according to the official response. The non-official response was not as polite or restrained. The new law not only addresses the way personal information is obtained, handled and processed, it also goes much further than data protection laws typically do. We’ve set out the major differences from what we’ve seen before.
It’s not just technical compliance. It’s compliance in everything you do.
The new law isn’t just about the technical side of personal information. Only 8 of the 99 sections or articles in the law deal with technology relating to personal information. The law deals with all activities relating to the information from storage and security all the way to marketing activity. The law is aimed at getting companies to build a privacy foundation for everything they do, so that it is part of the way business is carried out in general.
The “personal information” it applies to is a bit more than we’re used to.
GDPR’s definition of personal information covers more than you might expect.
It includes any information related to a person or that can be used to directly or indirectly identify the person. This is anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
“Passing the Buck” won’t work here either.
If the information was provided to you, you must look after it, wherever it is. And this is going to be messy – for everyone. One study reported that more than 60% of CIOs surveyed globally said that their IT organizations have less than half of corporate data under their control. So everyone is going to be looking.
Say Goodbye to the Small Print.
Do you have some of those small print terms & conditions or consent forms on your website that everyone can just “click” to accept. Say goodbye to them.
Consent is going to be treated in a much tougher way. Any request for consent – which will be relevant to any information you get – has to be easily accessible and understood. The purpose the information is being provided must also be clear.
Consent must also be easy to withdraw and people will have the right to be “forgotten” which means they can ask for their personal data to be deleted, as well as where it is being stored. Gone are the days of using lists of email addressed obtained elsewhere.
The GDPR Diet – you can still have cookies, just but don’t be sneaky about them.
GDPR does not specifically require you to secure ‘express consent’ for the use of cookies, and therefore you can continue to use cookies and retargeting pixels if you have the user’s implied consent. So that means that you must have a transparent and accurate cookie policy, that should be available from every page of your website. But you do not necessarily have to have a ‘cookie pop-up’ that secures a users understanding and consent to your use of cookies.
At least, not yet. This is scheduled to be revisited in 2019, so stay tuned for updates.
You have to be a tattle tale – even about yourself.
Security breaches, which are unauthorised access to the information and Privacy breaches, which are unauthorised collection, sharing or movement of data must be reported to EU authorities and to the people whose information was affected, And it has to be quick – within 72 hours to authorities and “without undue delay” to the individuals.
The biggest change is the broader focus on privacy of information. It’s not just a security issue anymore, but security is still an important part.
The new law focuses on privacy, throughout the full cycle from collecting or obtaining the information, through its use, sharing, storage and transfer. Security is only part of the privacy process.
Now that you’ve heard of GDPR, what should you do next?
Whether or not you think GDPR will definitely apply to your company, its principle of considering privacy issues in relation to all that your business does is appropriate.
For GDPR compliance specifically, you should probably start with a data inventory to determine what data you, and whether it includes data is associated with European-based people, and where this data is located. And then keep doing that, so that if you are compliant, you stay compliant. You should make sure that someone takes the responsibility for this task.
It sounds simple enough, but it might not be easy, and this is not something that a new program or app can be used to make you compliant. At this time, the EU cannot certify that any company is compliant – and neither can anyone trying to sell you a process. A process can help you. It can’t do it alone however.
This presents an opportunity, not an obligation. The companies that understand and respond early to the higher priority of privacy will see the benefits in their relationship with their customers.
To look at this as only a security and compliance might put the issue under a negative light, which would be a mistake. Everyone should care about and be aware of the principles behind the new law, at every level and in every discipline.
We see the opportunity for companies to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data, which makes this a very good thing, particularly if it enables stronger relationship building and the basis for more equality and trust between businesses and their customers.
With respect to the GPDR, we’ve scratched the surface and there are many more GDPR Resources available, which provide the technical details. You should check them out and here are a few to start with: