The mad rush to understand the General Data Protection Regulation (GDPR) created panic, jokes, and some hilarious memes across the Internet’s social channels. And just days before May 25th, 2018, the date the regulation was enacted, our inboxes were full of “we’ve updated our privacy policies” as businesses rushed to be compliant.
- We hadn’t even heard from some of those e-mailers in years, right?
- Who else hit unsubscribe?
- Some of us just sat back and thought – that GDPR stuff is only for the EU, isn’t it?
- Or we shrugged it off – I don’t collect client data; I don’t have to worry.
Well, sorry to burst the bubble, but both those thoughts are wrong.
Data is everywhere, ubiquitous as dust, and yes, you’ve probably been collecting it.
It’s okay; we won’t judge you. We’re here to help.
The GDPR is very strict about compliance and has the power to charge you large sums of money (30 million dollars or 4% of your annual sales) if you have not received explicit consent from your clients, readers (that’s for you bloggers), and customers to collect their personal information.
Even if you are outside the EU, you have a responsibility to people inside the EU whose data you handle. They don’t have to be buying anything from you, but if they subscribe to your email newsletter, website or channel, you have their information.
Wait. Don’t we already do this?
Many applications of the GDPR are familiar to Canadians under the Personal Information and Electronic Documents Act (PIPEDA), which regulate how businesses can collect, use, and disclose personal information gathered in the process of doing business. PIPEDA ensures the protection of personal information collected through interprovincial and international transactions such as global Internet sales, but there are amendments coming November 1, 2018.
More about PIPEDA and PCI later; let’s first take a look at the new kid on the block – GDPR.
To be GDPR compliant, start with these tasks:
- Make a list of each location online where your business asks clients and customers for information that is personal and could identify them. Some examples are, sign-ups for email marketing, e-commerce financial info (like credit card numbers), IP addresses, postal addresses, telephone numbers, location data, birth dates, and names.
- Look into your website’s tracking tools. Does your business use Google Analytics and or Adwords? If you’re only tracking your website’s performance, you won’t need user consent, but if you plan to use the information these tools gather for targeted advertising or any other monetizing purpose, you must get explicit consent beforehand.
Don’t forget your cookies! These allow a web browser to remember information about a visitor’s session. Cookies identify locations, IP addresses, and the kind of device the visitor is using.
Your website guests must be told (by a pop-up perhaps) that you are using cookies “to improve their browsing experience, ” and then given the choice of clicking a box to “accept and continue” or leave the site.
It is no longer acceptable to merely state that, “by continuing to use the website you agree to our terms.”
WordPress contributors and developers have designed an open source plug-in called “GDPR” to help ensure your WP site is compliant. (Link is at the end of this post.)
- Social media share buttons are also trackers.
Businesses that advertise on Facebook (and Instagram) should examine and possibly change their practices concerning user data regardless of whether they market to the EU.
The Facebook Business page states:
“Businesses that advertise with the Facebook Companies can continue to use Facebook platforms and solutions in the same way they do today. Each company is responsible for complying with the GDPR, just as they are responsible for complying with the laws that apply to them today. For more information about specific Facebook ad products, see the FAQs.”
- Plan how you will protect your client information. Security is essential.
- Use dedicated servers
- Use data encryption
- Create a disaster recovery plan
- Ensure excellent password policies
If you do have a cyber-security breach, it must be reported to affected clients and to authorities within 72 hours. This rule becomes mandatory in Canada on November 1, 2018.
- What personal information you collect.
- how and why you collect it.
- how you use it.
- how you secure it.
- of any third parties with access to it.
- how users can control any aspect of what you are doing.
Also, depending on the size or type of business you are conducting, you may have to appoint a Controller, or Privacy Protection Officer. One of the links in the reading list will answer that question.
This post presents the most basic elements of GDPR compliance – enough to get you off the fence if you’ve been ignoring the whole thing. But there is more to learn.
If you have concerns about your company’s compliance with the GDPR, it would be prudent to get some legal counsel.
Further legislative requirements for your SMB include changes to PIPEDA and to the security of your Payment Card Data.
Amendments to PIPEDA to be enforced November 1, 2018:
PIPEDA applies to most private-sector organizations conducting commercial activities throughout most of Canada, however Quebec, BC, and Alberta apply their own substantially similar privacy laws.[i]
What is changing?
Amendments to PIPEDA that were made under the Digital Privacy Act in 2015 include mandatory breach reporting and record keeping. These amendments will be enforced on November 1, 2018.
Mandatory breach reporting will require organizations to notify individuals (unless prohibited by law) and report to the Commissioner[ii] all breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.”
PIPEDA defines “significant harm” as including, among other harms, humiliation, damage to reputation or relationships, and identity theft. A “real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.[iii]
Changes to PIPEDA will also require organizations to keep and maintain a record of every breach of safeguards involving personal information under their control.
Organizations must be prepared to take their breach notification obligations seriously as a knowing failure to comply with the breach reporting requirements could result in fines of up to $100,000.
The government of Canada publication, Breach of Security Safeguards Regulations, (September 2017)[iv] provides greater detail on mandatory breach reporting and record-keeping.
Payment Card Industry Data Security Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period.[v]
Merchant levels as defined by Visa
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
* Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
How To Meet the PCI Standards:
Complete these two basic steps:
- Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard “Qualified (Approved) Independent Scan Vendor.” Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.
- Successfully complete a security self-assessment questionnaire that asks specific questions about your internal security practices, both on your web site and in your office.
Reading list for GDPR compliance:
- 8 Rights Under GDPR
- Does your SMB need a Data Protection Officer?
- WordPress Plug In to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
- European Commission: Rules For Businesses and Organizations