With the web expanding at an incredible rate, a massive amount of data is being collected and stored around the world. Data being IP addresses, GPS locations, cookie identifiers and of course, personal information.
In the European Union, Parliament is taking a major step towards defining and regulating data privacy by implementing the GDPR (General Data Protection Regulation). This regulation clarifies much of what has been muddy waters in the EU regarding data retention and consent, since the last regulation of its kind, Directive 95/46/EC, implemented in 1998. The goal of the GDPR is to harmonize data privacy laws across the EU, giving power back to citizens in a number of ways. But what does the GDPR mean for businesses that serve citizens of the EU? What steps need to be taken to ensure that these businesses are in compliance with the new regulations? With the regulation coming into effect on May 25th, 2018, it is extremely important to know the level of transparency and the amount of information your company is required to provide.
What Has Changed Since the Last Regulation?
- Definition: Currently, the definition of personal data is vague; with the growing possibilities of the web, there has been a lot of change in what can be collected since the past regulation of 1998. With the GDPR, the definition of personal data is being expanded to include IP addresses, cookie identifiers and GPS locations, all of which were either non-existent, or of much less importance 20 years ago. In particular, the saturation of mobile phones has made location-based information extremely valuable to businesses.
- Consent: Under the new regulations, consent is central to compliance. Companies will no longer be able to use illegible terms or legalese, meaning that request for consent must be given in an intelligible and easily accessible form. If you have ever spent the time to read through the privacy policy of any major tech companies, you will quickly understand the frustration of trying to interpret what sort of privacy related compromises you are making as a data subject. Additionally, under GDPR, it must be as easy to withdraw consent for these privacy policies as it is to give it.
- Privacy by Design: Lastly, in the past 20 years, privacy has been considered an addition to systems rather than an inclusion to the design of the system. Under the new regulations, the design of data controlling systems must include consideration for data protection. These data control systems are also required to only process data that is deemed absolutely necessary for the completion of the system’s intended duties.
- Right to Access: Currently, it can be difficult for data subjects to acquire a copy of what sort of personal data is being collected. With GDPR, data subjects are permitted to request an electronic copy of their processed data, free of charge. This new regulation clears up confusion over what sort of data is being processed and if the data subject is permitted to know exactly what this data is.
- Right to be Forgotten: Secondly, in addition to data subjects knowing exactly what sort of information is being collected, they are also free to request that the data controller is to erase their data. Not only is the data controller required to erase the data, but they must also cease to further disseminate this data and potentially have third parties halt the processing of this data.
- Breach Notification: In the event of a data breach, there is currently no firm understanding on when it is required to notify the data subject. As of May 25th, 2018, data controllers must give notification to data subjects within 72 hours of first having become aware of the breach.
Detailed info on the GDPR can be found in the EU GDPR Information Portal: https://www.eugdpr.org/
What Does This Mean For Your Businesses?
You may have noticed an abundance of emails lately regarding privacy policy changes. The GDPR causes major companies such as Google and Apple to seriously reconsider how they advertise their data collection practices to users. Although the type of data that is being collected is not changing much, the access to this data and how businesses are writing policy will change greatly.
Ask yourself if your business serves citizens of the EU.
If the answer is yes, even if you are not based in the EU, it is worth doing some research into how your privacy policy is worded, along with being aware that EU citizens may request a copy of their data at any time. For larger companies, a DPO (Data Protection Officer) may need to be appointed. This is a staff member who educates employees on the compliance requirements, training staff involved in data processing and serving as a point of contact between the company and GDPR Supervisory Authorities.
If the answer is no, you’re not off scot-free. Any company that has a website and markets products and services online needs to give attention to this new regulation. Just ensure you’re not
purposely or accidentally targeting users who are based in an EU country – say the language of that country and references to EU users and customers. However, generic marketing doesn’t count, so don’t be concerned that you need to abide by the GDPR for EU users who happen to arrive at your site. For example, an EU data subject who finds your Canadian based service business via Google or other search engines would not be covered under this regulation.
Finally, companies using Google Analytics should also note that Google is setting a data retention limit of 26 months as the default time for storing Analytics-based data. This being said, data controllers can change this limit to whenever they want, but it is good to be aware that if you are a business that deals with long-term data from Analytics, you should double check your settings.
Read more: The Globe and Mail: https://www.theglobeandmail.com/business/small-business/marketing/article-europes-gdpr-rules-mean-big-changes-for-businesses-in-canada/
What Next?
In conclusion, knowing the new affordances given to data subjects is a valuable piece of transitioning smoothly into the GDPR regulations. Given that the maximum penalty for not conforming to the GDPR is 4% of annual global turnover or €20 million (whichever is greater), the influence to comply is extreme. Although, since the regulations are really just rules to notify data subjects about what information is being collected and stored, there are no new laws being put in place that limit what sort of information can be collected. Since companies are still allowed to gather any sort of information that they want, given that they notify their data subjects, a change to privacy policies is likely more of a bump in the road rather than a road block. Where it may become frustrating for companies is when large amounts of people are requesting to have every bit of information that is being collected presented to them in an easy-to-read digital format. These frustrations will come to light on May 25th, 2018, when the GDPR is implemented.
Read more on fines and plan of action for Canadian businesses: Financial Post: http://business.financialpost.com/executive/many-canadian-organizations-unprepared-for-the-eus-gdpr-compliance-deadline
The key takeaway is that if you do business with EU customers, take note of the GDPR. If you’re a local business with only Canadian customers, you’re safe, but it’s important to be aware of the ever changing online environment.
If you have questions about the GDPR and how it affects your business, don’t hesitate to contact us.