29 MayData Protection: how to prepare for the GDPR
Is your company scouring the Web for new customers? Do you regularly process data from the people who use your service? Beyond your target market, does your data processing potentially concern European citizens?
As we’ve previously discussed, whether you are looking to expand your commercial activities to an international market, or are simply creating your first e-commerce website, it is important to pay close attention to the personal data you process from your clients and potential clients. Moreover, if you wish to access a European market, you need to be even more attentive to those issues.
Indeed, the European Parliament recently adopted the most stringent legislation worldwide, concerning the processing of personal data. The General Data Protection Regulation (GDPR) will enter into force on May 25th 2018. This legislation will apply not only on European soil, but also beyond, and potentially to you. It will henceforth no longer be sufficient to comply solely with Canadian law.
Why Will Your Company be Affected?
It was therefore created to have a very large scope; regardless of where your activities are located, the GDPR applies to you the moment you process personal data belonging to European residents. The GDPR applies whether your data processing is used to offer services (even if it is done for free) or simply to track the habits of individuals (for instance commercial habits).
This new legislation was drafted with the borderless world of the Internet in mind
It is therefore very likely that you will be forced to comply with these rules, the moment you consider processing personal data.
What Data is Protected? How is it Protected?
The GDPR regulates all automated or partially automated processing of data related to an identifiable person, such as their name, phone number, username, email, photo, Internet habits, address, or other information, including their physical or cultural characteristics, sufficiently distinct to allow for the identification of the individuals identity, and processed with a commercial goal in mind.
You will need to be extremely vigilant in your processing of data in order to comply with these new regulations.
According to the European Parliament, the processing of data needs to be “fair and transparent”. It should therefore be done with a precise goal in mind that is clearly explained when you proceed with the processing. For instance, when sending a newsletter, it should not be necessary to collect anything more than the name and the e-mail of your recipient.
The information you process must be exact, and when it is not, must be possible to change or erase as quickly as possible upon demand. Moreover, you must only keep the data for a limited amount of time, and the processing must be secure and confidential.
Finally, it is important to keep in mind that it is the duty of the processor of data to demonstrate that their practices comply with the GDPR, in particular through the application of organizational measures or practices.
Consent and Legality
Another essential element of the GDPR is that you must obtain the consent of the concerned party the moment you wish to process their data. Their consent must be well informed, and given in writing. In other words, before proceeding with the collection and processing of data, the concerned person must be clearly informed of the use that will be made of the information, and must consent in writing.
Furthermore, it is not possible to impose the processing of data on your customer. For instance, if you sell shoes, you cannot force your client to transmit all their personal information (other than what is necessary for the transaction), before accepting to proceed with the sale. They must be free to consent to divulge information that is not necessary for the proper functioning of your service. Finally, this consent must be just as easy to withdraw, as it was to grant; you must therefore put in place the proper tools to meet this obligation.
These requirements should not be taken lightly. Indeed, the European Parliament has put in place some very strict penalties for non-compliance with the GDPR.
Supervisory authorities will be put in place, with the mission of ensuring compliance to the GDPR. These authorities will be able restrict the processing of data or even prohibit it entirely.
Beyond these commercial penalties, which will prevent you from accessing the European market, you are also at risk of fines of up to 20 million Euros (about 30 million CAD), or up to 4% of your annual revenue (based on whichever amount is larger). At the same time, these penalties do not prevent a dissatisfied user from taking legal action against your business.
Managing your clients’ data is an increasingly complex process. For that reason, a number of experts recommend the hiring of Data Protection Officer. However, it may not be possible or useful to hire a full time employee for those purposes. If that is your situation, you may consider consulting an external officer, who can provide you with the services necessary to simplify this process.
The Rights of Your Clients
In sum, the GDPR creates important protections for your European clients or users. As such, it is now possible for a user whose data you have collected to object to the processing of their data (for example by refusing that their data be used to profile them). Furthermore, you cannot oppose a request to rectify user data, or to provide a user with all the information you have collected from them.
You should also be aware that, as opposed to Canadian citizens, European citizens have the right to be forgotten (or “right to erasure”), which must also be respected. How does it work?
Remember that when you create a file based on data from a client, you must inform them of the specific way you intend to use their information, and the reasons for the collection of said data. Once the goal of the collection/processing is completed or no longer necessary, the concerned party has the right to request that you destroy all the data you have collected on them. This right should be as easy to exercise, as it was to collect the data in the first place.
What About Distance?
You may be asking yourself how your company can ensure compliance with the GDPR from over 6000km away from the European market?
The European Parliament was particularly concerned with that issue. It is therefore mandatory for all companies that fall under the jurisdiction of the GDPR (potentially your company), to have a representative on the ground in Europe. Fear not: this representative is not necessary if the data processing you do is simply occasional.
This representative will be charged with ensuring communication between the various actors: he will hear all the requests for rectification, for access, for destruction, and send them along to you. He will also be in communication with the European authorities in order to provide you with all the relevant information, and any eventual complaints. There will of course be companies specialized in providing such representation, in order to help you access the European market.
The GDRP also forces any company that observes an inappropriate use of their data to alert their clients within 72 hours, as well as the Supervisory authorities. Hence the importance of implementing a proper system to manage data, and of a representative charged with communication with the various actors.
How to Prepare?
If all this seems insurmountable, don’t worry you are not alone. There are a number of tools and partners who will help you meet the requirements of the GDPR.
- Does the GDPR worry you? Consult this diagram for more information.
- PwC Canada, a leader in the field of financial auditing and compliance, shares their thoughts on the GDPR.
- IBM, specialists in IT, offers a series of articles to help you prepare for the GDPR
- A very insightful blog (French Only) created by a European expert on data management that presents current events pertaining to the GDPR
- The Commission Nationale de l’Informatique et des Libertés is an independent administrative regulatory body whose mission is to ensure the application of data privacy laws. In this article they offer the perfect primer to prepare you for the implementation of the GDPR (French Only).
For example, a number of companies and organizations representing European companies will be implementing Codes of conduct (French only) and certifications that will be validated by the competent European authorities. These tools will help inform you of the main practices that can guarantee compliance with the GDPR. In fact, one of the fundamental points of the GDPR is to be transparent by offering information related to the measures you put in place to ensure compliance. As such, the implementation of a code of conduct can be quite useful.
Moreover, the GDPR takes into account the imbalance of resources between multinational corporations and smaller businesses. There are a number of derogations and simplifications that apply to smaller businesses that lessen the burden of compliance to the GDPR. Therefore, it is best to choose a European partner that is specifically adapted to the needs of your business.
If you are not already in compliance: We are working hard to provide you with a product adapted to your situation. To be contacted when the product is ready, please fill out the form below.
Did you know?
These new regulations were implemented to increase the protection of personal data available on the Internet. We all saw the hash tag #deletefacebook following the recent scandal with Cambridge Analytica, where the data of more than 50 million Facebook users was processed in order to influence the American election. Facebook was reprimanded for, once again, not putting in place the measures necessary to protect user data. However, they are not the only company who has failed to protect their clients’ data, which is why the European Union has decided to act.