GDPR for North American Small Businesses
What is GDPR?
GDPR stands for General Data Protection Regulation and it is a new European regulation coming into effect on May 25th, 2018. It is a privacy law that is meant to give consumers more control over their personal data. The EU has always been more aggressive in protecting the consumer compared to the North American way of protecting the business more. As a consumer I applaud that but as a small business owner I wonder how it will affect my business.
The new EU regulation was approved on April 14th, 2016 but it is only really in the last few months that we have been hearing much about it here in North America. It is now a hot topic and with less than a month until implementation, it is still a grey area for most small businesses. The European Commission is charged with protecting the rights of its 28 member states of which Canada and the US (and soon to be UK *Brexit) are not part of. The European Commission already has a data protection law in place, which if you suffer from sleep deprivation you might like to read here. There is also an EU Cookie Law in place although this will be replaced by the new EU ePrivacy Regulation, which although designed to go hand in hand with GDPR, won’t be implemented at the same time as it’s still under development. (Getting 28 and now 27 member states to agree is clearly a challenge!). It is, however, expected later in 2018.
Why can’t they just combine it all under GDPR? Well, two laws are needed because they cover two different rights in the European Charter of Human Rights, think Bill of Rights for European Union countries. The GDPR covers the right to protection of personal data (any data that relates to or could be used to identify someone in any way), while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.
So in a nutshell, this means all organisations ‘handling’ personal data of residents or citizens of the European Union (EU) will have to comply with GDPR come May 28th, 2018.
“Wait I’m not European and I don’t deal with Europeans! Phew then GDPR doesn’t apply to me?”
NO ONE IS EXEMPT!
Your business is out there on the great white interweb! And unless you geo-block* the whole of Europe (*restrict access to internet content based on a user’s geographical location), then you can potentially collect data from an EU citizen. Data travels well beyond the borders of EU countries and that data will be protected by GDPR if it comes from an EU resident or citizen.
And would geo-blocking still be enough? I have dual citizenship, born in England and now a citizen of Canada, and my British passport currently affords me protection as an EU citizen, at least until we depart the European Union waving our flags and wiping tears away on 29th March, 2019.
Check out this video from https://www.whatisgdpr.eu for a brilliant summary.
How do you collect private data?
You might wonder how exactly you might be capturing data from those EU citizens. Here are a few examples:
- You have an email optin on your website.
- You sell goods or services online and collect your buyers’ details.
- You allow people to register and login to your website – this is any CMS site – so includes WordPress, Joomla, Drupal, etc
- You sell an online learning course and your customers have to login.
- You have an event (e.g. webinar) sign up page
- You track where your site visitors come from and how they interact with your site (e.g. Google Analytics, ConvertFox, etc)
OK, So that’s my business! How do I comply with GDPR?
In the simplest terms possible you need to:
- Obtain consent or have a good reason to store or process any personal information you collect.
- Allow a person to know what information is being stored about them. It is their right. Inform the user what the data is being used for. Inform the user who will be handling the data (Collector) and how the data was obtained.
- Allow a person to request that the information you hold on them be deleted (Right to be Forgotten). There are exceptions if there is a reason not to ‘forget’ in cases such as bank or loan accounts.
- Allow a person to download the data you are holding on them.
- Allow a person to move their data from one company to another (Data Portability)
- Ensure all personal data is protected. Any new systems must have privacy built into them upfront rather than as an afterthought (Privacy by Design) and access to any systems is strictly controlled and only given when required (Privacy by Default).
- Notify the authorities of any breach or loss of data and set up a system to notify those whose data was breached.
- Only use the data for the reason consent was given in the first place and not for anything else.
Larger organisations are required to appoint a Data Protection Office. Most small businesses won’t need to do this but should be looking to appoint one person who is the single point of contact for data related issues and questions, thus complying with Privacy by Default.
If you are a solopreneur – guess what? You just got a new job to do!
How will GDPR be enforced in North America?
There’s a wildly held belief among small businesses in North America that it won’t affect them because the EU holds no jurisdiction over North America.
The truth is that no one really knows how GDPR will be enforced in North America and we likely won’t know until a company is found non-compliant. But given that breaches can cost companies up to 20 million Euros (CDN$31 million or US$24 million) or 4% of their annual global turnover it’s not insignificant.
We will see an increasing number of the products, software and service we use as small businesses move towards being GDPR compliant in order for them to survive. Smaller companies that don’t comply will fall by the wayside, forcing us to change the way we do business ourselves. We need to be careful which 3rd party companies we choose to do business with – see more about this below.
So what can we do as small businesses to comply with GDPR?
Consult a lawyer to discuss your own individual situation. This is not a step to miss out!
We are then going to have to look at our own internal business systems and see where we need to comply. Start to move to third-party providers that are already GDPR compliant such as email and hosting service providers, WordPress plugins, your CRM service and developers, designers and marketing agencies that you work with. You can be held responsible for breaches made by data processors that you work with, so choose wisely.
Your WordPress Website and GDPR
There are many plugins and tools around now that offer GDPR compliance for your website. Here are three of my favourites. They are all free at this current time. I have looked at several paid options where one option tries to do everything but they come with a hefty price tag.
These plugins will go along way to getting your WordPress site GDPR compliant. Just remember that GDPR compliance isn’t just about your website – it includes all your processes as a business, which you will need the help of a lawyer to address. The use of these plugins is by no means legal advise on my part. But rest assured if you get hauled off to GDPR detention I will use my British passport to come visit you (as long as it’s before March 29th, 2019 *Brexit *sniff)
This plugin alone will not make you GDPR compliant but it addresses the ‘consent to collect’ data issue.
This plugin was designed by a Canadian company to assist a Data Protection Office or Controller with the GDPR requirements. It adds widgets to your website so that users can:
- Request their data be deleted
- Request a downloadable file of their data
- Submit corrections for any data you have on file.
To Sum Up
Don’t keep sticking your head in the sand, thinking GDPR doesn’t apply to you. Small businesses around the world are not exempt and you need to educate yourself about the laws and keep current with the changes.
There will more than likely be a lot of businesses in the firing line before they start targeting North American small businesses. It’s already rumoured that the audits will start with big companies that have already experienced data breaches (can’t think of any of those offhand, can you?)
But why not spend some time and make the effort to implement the above suggestions, particularly that your company can comply with user requests such as “Right To Be Forgotten” you will put yourself way ahead of a lot of companies.
Don’t be the business that gets used as a test case for non-compliance!
I would invite comments but I’ve switched them off for now – please feel free to connect with me in another way if you’d like a discussion on this topic.