Skip to main content

Avery Swartz is a tech expert who advises small businesses on all things digital. She is also the founder of Camp Tech, a tech training company for businesses and individuals across Canada.

Small-business owners who have a website with analytics-reporting tools, run online ads or use an e-mail marketing system have received a message in the past few weeks, urging them to update their account settings to comply with the GDPR. This has left many wondering “what’s the GDPR?”

The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that comes into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries, as well as Iceland, Norway and Liechtenstein.The GDPR gives greater protection and rights to individuals and is the biggest change to European data-privacy law in more than 20 years.

Story continues below advertisement

If your business has clients, customers or website visitors in the European Economic Area, you must be in compliance with the GDPR. Organizations that are not can face a penalty of up to €20-million ($30-million), or 4 per cent of the worldwide annual revenue of the prior financial year, whichever is higher.

But even if you’re not doing business in Europe, following the guidelines of the GDPR isn’t a bad idea. Because so many internet-based companies operate globally, it’s easier for them to update their terms of use to meet the most stringent requirement in all countries, instead of having different policies for different regions. Many are choosing to follow the GDPR rules everywhere. They will become the de facto standard for privacy terms worldwide, even in countries that don’t police it.

Here are some tips on how to get your business in tune with the GDPR:

Start with a list

Make a list of all the places online where you ask people for personally identifiable information. Start with your website. Are you requesting names, e-mail addresses or credit card information? Online forms, comment boxes, e-mail marketing sign-ups and e-commerce are all places where you may be collecting personal data.

Looking beyond your website, where else are you collecting, storing and using customer or client data? Think about sales databases, CRM software and e-mail marketing lists. Did you have permission to collect personal information in the first place? Do you have explicit consent (and a record of that consent being given) to use the data for sales and marketing purposes? When it comes to consent and digital marketing, the GDPR is more strict than the Canadian Anti-Spam Law (CASL). Under CASL, you can market to customers or clients for up to two years after receiving “implied consent.” With the GDPR, it’s explicit consent only.

What is your website tracking?

Many of the small-business owners I work with have no idea what’s running under the hood of their websites. You likely have Google Analytics installed on your site, and may have other marketing or social media trackers as well (social media “share” buttons are a common example).

These tracking tools work through the use of “cookies,” “web beacons” or “pixels” and allow the web browser to remember information about the website visitor’s browsing session. Things like what device they’re using, where they’re located, which pages of the website they visited, etc. Some of that information can be personally identifiable, and as such, you must inform website visitors from the European Economic Area.

Story continues below advertisement

Under the GDPR, it is not enough to have passive consent for the use of cookies (through a message such as, “if you continue to use this website, you agree to our terms”). Website visitors must take action to indicate their awareness and agreement. I’ve noticed an increase in organizations with pop-ups on their sites, telling the visitor that cookies will be in use, and they must click an “accept and continue” button to continue browsing the website. The pop-up gives the website visitor the opportunity to disable cookies in their web browser or to leave the website before they are tracked.

Make a privacy plan

Once you understand what personally identifiable information you (and your website) are collecting, you need to make a plan for how you’ll protect that information. You must keep private data secure, be able to share it with individuals if requested and be able to delete it completely. Also, if you suffer a data breach, you have to report it to the affected individuals and the necessary authorities within 72 hours.

All employees within your organization who have access to personally identifiable information need to understand the GDPR and the privacy practices of your business. You may need to formally appoint a data protection officer (check to see if that applies to your organization here).

State your privacy policy

Once your organization has a privacy plan in place, it needs to be prominently displayed as a privacy policy. I advise businesses to make a privacy policy page on their website, and post a link to it in the footer of the site. The GDPR mandates that the language in your privacy policy should be “concise, easy to understand and clear.” State what information you are collecting, exactly how you are collecting it, why it is necessary for you to collect it, what you are doing to keep the information safe, whether the data is ever shared with third parties and how someone can get in touch with you to access their data or request its removal.

If you have any specific concerns about your business’s compliance with the GDPR, speak with legal counsel. You can also read the U.K. Information Commissioner’s Office’s online guide to the GDPR, including their 12-step prep guide for organizations.

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter