Avery Swartz is a tech expert who advises small businesses on all things digital. She is also the founder of Camp Tech, a tech training company for businesses and individuals across Canada.
Small-business owners who have a website with analytics-reporting tools, run online ads or use an e-mail marketing system have received a message in the past few weeks, urging them to update their account settings to comply with the GDPR. This has left many wondering “what’s the GDPR?”
The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that comes into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries, as well as Iceland, Norway and Liechtenstein.The GDPR gives greater protection and rights to individuals and is the biggest change to European data-privacy law in more than 20 years.
If your business has clients, customers or website visitors in the European Economic Area, you must be in compliance with the GDPR. Organizations that are not can face a penalty of up to €20-million ($30-million), or 4 per cent of the worldwide annual revenue of the prior financial year, whichever is higher.
Here are some tips on how to get your business in tune with the GDPR:
Start with a list
Make a list of all the places online where you ask people for personally identifiable information. Start with your website. Are you requesting names, e-mail addresses or credit card information? Online forms, comment boxes, e-mail marketing sign-ups and e-commerce are all places where you may be collecting personal data.
Looking beyond your website, where else are you collecting, storing and using customer or client data? Think about sales databases, CRM software and e-mail marketing lists. Did you have permission to collect personal information in the first place? Do you have explicit consent (and a record of that consent being given) to use the data for sales and marketing purposes? When it comes to consent and digital marketing, the GDPR is more strict than the Canadian Anti-Spam Law (CASL). Under CASL, you can market to customers or clients for up to two years after receiving “implied consent.” With the GDPR, it’s explicit consent only.
What is your website tracking?
Many of the small-business owners I work with have no idea what’s running under the hood of their websites. You likely have Google Analytics installed on your site, and may have other marketing or social media trackers as well (social media “share” buttons are a common example).
These tracking tools work through the use of “cookies,” “web beacons” or “pixels” and allow the web browser to remember information about the website visitor’s browsing session. Things like what device they’re using, where they’re located, which pages of the website they visited, etc. Some of that information can be personally identifiable, and as such, you must inform website visitors from the European Economic Area.
Make a privacy plan
Once you understand what personally identifiable information you (and your website) are collecting, you need to make a plan for how you’ll protect that information. You must keep private data secure, be able to share it with individuals if requested and be able to delete it completely. Also, if you suffer a data breach, you have to report it to the affected individuals and the necessary authorities within 72 hours.
All employees within your organization who have access to personally identifiable information need to understand the GDPR and the privacy practices of your business. You may need to formally appoint a data protection officer (check to see if that applies to your organization here).
If you have any specific concerns about your business’s compliance with the GDPR, speak with legal counsel. You can also read the U.K. Information Commissioner’s Office’s online guide to the GDPR, including their 12-step prep guide for organizations.