Globe and Mail article written by Avery Swartz

Europe’s GDPR rules mean big changes for businesses in Canada

by Avery Swartz,
Published in The Globe and Mail, May 17, 2018
Click to read on The Globe and Mail's website

Small-business owners who have a website with analytics-reporting tools, run online ads or use an e-mail marketing system have received a message in the past few weeks, urging them to update their account settings to comply with the GDPR. This has left many wondering “what’s the GDPR?”

The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that comes into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries, as well as Iceland, Norway and Liechtenstein.The GDPR gives greater protection and rights to individuals and is the biggest change to European data-privacy law in more than 20 years.

If your business has clients, customers or website visitors in the European Economic Area, you must be in compliance with the GDPR. Organizations that are not can face a penalty of up to €20-million ($30-million), or 4 per cent of the worldwide annual revenue of the prior financial year, whichever is higher.

But even if you’re not doing business in Europe, following the guidelines of the GDPR isn’t a bad idea. Because so many internet-based companies operate globally, it’s easier for them to update their terms of use to meet the most stringent requirement in all countries, instead of having different policies for different regions. Many are choosing to follow the GDPR rules everywhere. They will become the de facto standard for privacy terms worldwide, even in countries that don’t police it.

Here are some tips on how to get your business in tune with the GDPR:

Start with a list
Make a list of all the places online where you ask people for personally identifiable information. Start with your website. Are you requesting names, e-mail addresses or credit card information? Online forms, comment boxes, e-mail marketing sign-ups and e-commerce are all places where you may be collecting personal data.

Looking beyond your website, where else are you collecting, storing and using customer or client data? Think about sales databases, CRM software and e-mail marketing lists. Did you have permission to collect personal information in the first place? Do you have explicit consent (and a record of that consent being given) to use the data for sales and marketing purposes? When it comes to consent and digital marketing, the GDPR is more strict than the Canadian Anti-Spam Law (CASL). Under CASL, you can market to customers or clients for up to two years after receiving “implied consent.” With the GDPR, it’s explicit consent only.

What is your website tracking?
Many of the small-business owners I work with have no idea what’s running under the hood of their websites. You likely have Google Analytics installed on your site, and may have other marketing or social media trackers as well (social media “share” buttons are a common example).

These tracking tools work through the use of “cookies,” “web beacons” or “pixels” and allow the web browser to remember information about the website visitor’s browsing session. Things like what device they’re using, where they’re located, which pages of the website they visited, etc. Some of that information can be personally identifiable, and as such, you must inform website visitors from the European Economic Area.

Under the GDPR, it is not enough to have passive consent for the use of cookies (through a message such as, “if you continue to use this website, you agree to our terms”). Website visitors must take action to indicate their awareness and agreement. I’ve noticed an increase in organizations with pop-ups on their sites, telling the visitor that cookies will be in use, and they must click an “accept and continue” button to continue browsing the website. The pop-up gives the website visitor the opportunity to disable cookies in their web browser or to leave the website before they are tracked.

Make a privacy plan
Once you understand what personally identifiable information you (and your website) are collecting, you need to make a plan for how you’ll protect that information. You must keep private data secure, be able to share it with individuals if requested and be able to delete it completely. Also, if you suffer a data breach, you have to report it to the affected individuals and the necessary authorities within 72 hours.

All employees within your organization who have access to personally identifiable information need to understand the GDPR and the privacy practices of your business. You may need to formally appoint a data protection officer (check to see if that applies to your organization here).

State your privacy policy
Once your organization has a privacy plan in place, it needs to be prominently displayed as a privacy policy. I advise businesses to make a privacy policy page on their website, and post a link to it in the footer of the site. The GDPR mandates that the language in your privacy policy should be “concise, easy to understand and clear.” State what information you are collecting, exactly how you are collecting it, why it is necessary for you to collect it, what you are doing to keep the information safe, whether the data is ever shared with third parties and how someone can get in touch with you to access their data or request its removal.

If you have any specific concerns about your business’s compliance with the GDPR, speak with legal counsel. You can also read the U.K. Information Commissioner’s Office’s online guide to the GDPR, including their 12-step prep guide for organizations.