You may have noticed a recent influx in prompts or emails containing updated privacy agreements from companies like Instagram, Apple, Pinterest, Airbnb, and GoDaddy lately.
This is because the European Union recently passed a new regulation on data and privacy that will become active on May 25, 2018 and will affect all 28 members of the EU, as well as any countries doing business with EU residents.
This new EU law is forcing companies worldwide to update their privacy policies and use plain language when harvesting data from users.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a European law on data protection and privacy. It was first created on April 26, 2016, replacing the 1995 Data Protection Directive.
Prior to this legislation, the personal data of individuals was widely seen as the property of businesses and those who collected and stored information. The GDPR established a fundamental shift in the protection of an individual’s data and privacy. Its primary goal is to give European Union residents control over their own personal information, especially regarding the usage of their data by external organizations.
The GDPR is designed to harmonize data protection regulations across the EU to make it easier for those outside of the EU to comply. With an increase in the amount of personal data online, the GDPR comes equipped with a new set of “digital rights.” These new GDPR rights include the following:
- Consent: the right to be informed of why data is needed and how it will be used.
- Access: the right to access all data collected and receive confirmation of how it is being processed.
- Correction: the right to correct data if it is inaccurate.
- Erasure: the right to request to withdraw one’s data and have it deleted.
- Objection: the right to object to the processing of personal data.
- Automated processing: the right to refuse automated processing and request for data to be reviewed manually.
- Data portability: the right to retrieve and transfer personal data across services.
What does this mean for Canadian companies?
Over the next few months, application of the GDPR is going to pose a significant challenge for some Canadian companies. The GDPR’s purpose is to strengthen the protection of personal data. As a result, it will regulate the flow of data between countries and across borders. This will have a direct impact on Canadian companies with European customers or companies that use cloud services to do business with EU residents.
The GDPR is a way of protecting the personal data of EU residents across the globe. This means that residents don’t have to physically be living in the EU and that any business or organization that collects or stores the data of EU residents is subject to follow the new GDPR regulation—regardless of whether they physically operate in the EU themselves.
For Canadian organizations, the GDPR can be seen as an extension of the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to all personal data, health or otherwise, regardless of the entity. PIPEDA looks at the entire lifecycle of how data is obtained, processed, stored, and destroyed and the GDPR will expand on this.
Canadian companies will have the option of updating their privacy regime to a single global standard or maintaining two sets of privacy procedures moving forward.
You might think this won’t affect your company because you don’t have operations in Europe but consider the web of suppliers, processors, and third-party vendors that your company regularly deals with—do they deal with European residents? Companies are going to have to be held accountable and be able to answer to their customers on how they are keeping with the new GDPR regulation. This means that a GDPR audit will have to encompass all vendors as well.
How can companies prepare for the GDPR?
The GDPR is a set of complex regulations and Canadian Web Hosting is not fit to offer legal advice. However, here are a few key takeaways we’ve made:
- Privacy Audit: companies should perform a complete audit of all the personal data they have collected and stored on their servers.
- Check consent: Check your consent procedures. Consent given by an individual must be a clear acknowledgment indicating that the user agrees to the processing of their information. Silence, inactivity, or simple checkboxes will not comply with the new GDPR standards.
- Revoke consent: Include a clear way for a person to withdraw their consent if they choose to. The process should be just as easy as to provide consent.
- Update tech: Take a look at the software and processes your company uses to collect data and make sure it complies with the GDPR. Companies may need to update their data collection software.
- Educate employees: Educate all staff on the new GDPR regulation so that everyone is aware of ongoing compliance.
- Personal responsibility: At the end of the day, it’s your company’s responsibility to ensure data collected is according to the GDPR, even if you outsource the collection of data to another company.
What are the penalties for non-compliance?
First of all, your company risks having a reputation of non-compliance and no company wants to be known as the company that doesn’t care or respect the privacy of its users. The biggest risk of non-compliance, however, is the hefty fine that comes with breaching the new law. The GDPR comes with strict compliance regulations and failure to consent means severe penalties for organizations. Fines are calculated based on several factors but the maximum penalty is 4% of global annual turnover for a company, or €20 million, whichever is higher. These kinds of penalties could be calamitous for a company.
Consumers may not notice a radical shift in what companies are doing, but the change to how businesses treat personal data does mark a shift in greater control and transparency for individuals. The worst thing a company can do right now is act complacent or prolong preparation for the new regulation. The GDPR is not a way to only go after big-name tech companies like Facebook or Google. The GDPR has been created to protect EU citizens and their personal data from companies outside of Europe, so that includes Canadian companies. Take this time to get your business—and the way it treats data—in order and gain a competitive edge.
Lastly, if you’re a company doing business or planning to do business with the EU it is highly recommended that you seek professional advice before you start collecting personal data.
What are your thoughts on the GDPR? How is your company preparing for this regulation? Let us know in the comments below.