10 steps to prepare your business for the GDPR (General Data Protection Regulation)

Even if your company is not located in the EU

The General Data Protection Regulation is a new set of rules modified from the current Data Projection Law that will soon be mandatory for those companies that deal with European consumers.

On May 25, 2018, the regulation insists on safeguarding the personal information of all citizens of the member states of the European Union. While many companies are already aligned to the specs, it’s important to make sure your company has everything covered.

This article takes a look at what you need to have in place to avoid being found to be in violation of the GDPR.

The truth is that these new rules are aimed at large companies that trade with information as a source of income. Smaller companies are not likely to be fined the 4% of global gross or €20m that larger corporations are if they are found to be in violation.

If you’re worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you’re not sure if you’ll be affected, look for these key signs:

1. You trade information as a commodity;

2. Requests user data when you complete a purchase and uses the data elsewhere or stores it;

3. You have dealings with one or more European countries.

If the answer is no to both, then you’ll be fine!

So what can you do just in case?

Here are 10 steps your business can take to be better GDPR-ready, even if you’re not physically located in the EU.

1. If your website has an online form that includes a pre-ticked box giving permission to receive promotional emails from third parties, this box now needs to be unticked.

2. If your company does any kind of list building, make sure that everyone on that list has given explicit permission to be on it. Under the Canadian PIPEDA, it was enough to have an implied permission; however, if there are EU residents in your database, the rules are much stronger and give subscribers the right to obtain the information stored in them.

3. Make sure all of your staff are aware of the new rules. Circulate a memo to all staff with a follow-up meeting where items are reviewed. Asking key players whose roles would be most affected by the new rules a few questions is a great way to make sure they’re aware of what they need to do.

4. Audit all stored client/customer information and track where it was obtained and where it has been used. Keep track of every bit of information and to whom it was passed at any time, and document the relationship and rationale.

5. Update your privacy policy to include why user data is retained, how it is used legally, and how users can contact your company if they feel their user information is being used in a way that is not being used. improper.

6. Have a clear method for dealing with a user’s data erasure requests. Under the DPA, users already had certain rights, but the GDPR goes further with information rights related to your data stored by your company.

The rights consist of:

• the right to be informed

• the right of access

• the right to rectification

• the right to erase

• the right to restrict processing

• the right to data portability

• the right to object

• the right not to be subject to automated decision-making, including profiling

You will need to be able to provide all of this information in a clear, machine-readable format (not handwritten).

7. Have a process for submitting large volumes of applications. Previously, under the DPA, companies had 40 days to comply with a request. That has been shortened to a month. Any legal request must be complied with, although if there are a large number of requests and the suspected motive is to cause problems for your business, these requests can be legally challenged.

8. Have your legal reason for retaining user data or passing it to others clearly indicated for users and ensure that the opt-in option is not pre-ticked or unclear. Users need to have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they should have the option to say no. This is separate from the Terms and Conditions.

9. If your business deals with anyone under the age of 16, you will need the permission of a parent or guardian to process the child’s data. This is very important and strictly regulated, but at the same time, if you’re not treating the information like a commodity, you probably don’t have to worry.

10. Have measures to deal with a data breach. In the event that user data is compromised, you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally to coordinate the response is a great idea.

And that is! As you can see, it’s a big business problem and more entrenched in user protection in Europe, where social media has been cited as problematic and susceptible to foreign influence.

North America isn’t much affected, but the issue remains highly newsworthy, which can make some small business owners nervous when they don’t need to. In saying that, this Small Business BC article https://smallbusinessbc.ca/blog/the-small-business-impact-of-gdpr/ points out some seemingly harmless potential data breaches that could put you at risk of a breach, such as Shipping of greeting cards to customers living in the EU.