With the new General Data Protection Regulation (GDPR) having taken effect in the European Union nearly a month ago, the spotlight on this hot topic has dimmed considerably – which is not to say that it shouldn’t continue to be on our radar.
While GDPR protects, among other things, the privacy of all individuals within the EU, in today’s basically all-digital world, corporations and businesses both within and beyond the EU’s borders must comply with the new data collection procedures.
As a Canadian firm or company, you may be wondering if GDPR really does matter to you. If you offer goods and/or services to EU residents (even if your operations are based in Canada), then the answer is yes. If you have offices and employees in the EU, then the answer is yes. If you collect personal data from individuals who are in the EU through your website or mobile app, then yes. If you process personal data of individuals in the EU on behalf of your clients, then yes.
But really, why should you care?
If you believe that not annoying clients builds better business relationships and establishing a data protection process is in everyone’s best interest, then yes, you should care about GDPR. If you believe that keeping people informed of the data you are collecting and allowing them to edit and erase this data is essential to establishing trust and building brand reputation, then yes, GDPR should matter to you.
Plus, not complying comes with some pretty hefty fines: up to €20 million or 4% of your total annual turnover. At the time of blog publication, the exchange rate puts it at $30,705,186.48 CAD.
What can you do to ensure that you are compliant with GDPR?
As a marketing and web development agency for professional services, we are constantly evolving our offering to ensure the best experience for our clients and our clients’ clients. While you may not fall directly under the jurisdiction of GDPR, we believe that it is better to be safe than sorry and recommend that you review your website data collection procedures as well as implement well-documented, compliant procedures for handling sensitive data.
The topic of GDPR certainly runs deep and there is an overwhelming amount of information out there. Here is a starting point to ensure that your website is compliant:
1. Consent to collect personal information must be clear
When it comes to website compliance, the largest area that the GDPR addresses is that of consent before the collection of personal data. This consent covers areas like online forms, cookie usage, and any other area where a client may provide personal details and the company collects and stores this information.
GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
You must ensure that all methods of acquiring consent are clear and granular. Consent must be freely given, specific, informed, and unambiguous.
We highly recommend implementing the following practices:
- Active opt-in – contact preferences must default to blank or ‘no’. You can’t default it to ‘yes’ and expect a user to uncheck it before submitting. This is just good user design and you should already be doing this.
- Opt-in permissions should be granular – wherever appropriate, separate consent should be allowed for each type of processing (e.g. email, phone, etc.)
- Give people access (right to access) – allow users the ability to access their data and provide information on how data is being processed.
- Make it easy to withdraw permission (right to erasure) – you must make it as easy to withdraw consent as it was to give it. This is usually done by a contact preference center or at the very least, an unsubscribe option.
All of this is good practice and has been for years. It should already be a big part of your data collection methods. If it isn’t, now is a good time to review all of your online contact points, update your privacy documentation, and ensure that you are both compliant and providing the best user experience to your clients.
2. Cookies require consent too
Google has stated that it is GDPR-compliant across its product line (e.g. Analytics, AdWords, etc.) and has provided new tools to allow end-users to modify data retention periods of personal data collected.
Be aware of what software your website is using. Some CMSes are built by a variety of third-party plugins and each of these could be a potential hazard of improper data collection methods. Review your site policies and identify any and all plugins and how they interact with users.
3. Other steps to take towards compliance
The Information Commissioner’s Office has provided a process to being GDPR-compliant, which you can read more about here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
In summary, these are the necessary steps to ensuring your website is compliant with the new rules:
- Awareness – educate your key stakeholders about the coming changes and ensure a plan is implemented to deal with any non-compliancy issue.
- Current position – identify what personal data you hold and who you share it with. Document this information and ensure it is accurate.
- Review privacy information – your privacy note should clearly identify who you are, how you intend to use the collected information, and now, because of GDPR, what your lawful basis for processing the collected data is. You should also include your data retention periods and provide a way for people to report if they believe their data is not being handled properly.
- Rights of Individuals – ensure people have the ability to gain the necessary information or that you can perform the necessary function on their data (e.g. delete if requested). The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and,
- the right not to be subject to automated decision-making including profiling.
- Subject access requests – should a user request changes to their personal data, you have one month to comply and cannot charge for this service (unless the request is found to be excessive).
- Lawful Basis for Processing Personal Data – understand what your lawful basis for processing personal data is. Quite often, this basis is consent (which now must be explicitly given and not implicit). Also note that users who give consent must have an equally easy way of removing consent.
- Consent – review your consent practices. As stated above, consent must be freely given, specific, informed, and unambiguous; basically, do not try to deceive a user into signing up for more than they requested.
- Children – there are specific protections now in place to protect children’s personal data.
- Data Breaches – ensure you have the right procedures in place to detect, report, and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – basically, if you are deploying a new type of technology, are profiling in a way that will significantly affect individuals, or are processing data on a large-scale, you must provide a DPIA. More information on DPIAs can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
- Data Protection Officers – you should designate someone to take responsibility for data protection compliance in your organization. This position is mandatory if you are a public authority, an organization that regularly monitors individuals on a large-scale, or an organization that does large-scale processing of certain types of data like health records.
- International – you must establish a lead authority in the location of your main establishment.
How we can help you
If you’d like to learn more about GDPR compliance or have us conduct a detailed analysis of your website’s compliancy, contact us and we would be more than happy to help.
For a deeper dive into GDPR, here are some additional resources: