Chances are if you’ve used the internet this past month (and chances are you have?) you’ve become well aware that anywhere and everywhere, privacy policies are changing. Why is that?
Well, at the end of next week, May 25th, the European Union will begin enforcing GDPR, the General Data Privacy Regulation. But that’s over in Europe, so nothing to worry about here in Canada, right? Not quite. Even if you’re a Canadian company targeting Canadian customers, the internet is international business. Incidentally, Europeans still might make their way to your website, and so it’s safe to bet on GDPR compliance, no matter where you’re located.
Are you a Data ‘Controller’, or Data ‘Processor’?
The first change you’ll have to make to your policy is right in the introduction. GDPR requires that you define whether you are the controller or the processor of data. It might sound like some jargon, but the distinction is fairly simple. If you only determine the purposes for data collection and processing, you’re the controller. On the other hand, if you process data on behalf of the controller (such as storing data on a server, or performing analytics) then you are the data processor. In our case, Google performs our analytics, and MailChimp handles our mailing list, therefore we are the data controller. This is likely the case for your company as well. Simply state in your policy’s introduction whether you are a data controller or processor.
Information Collected and Legitimate Interest
GDPR requires that all types of data you collect be explicitly stated in your policy. For most policies this is already the case, so not too much to worry about here. However, the regulation extends this common practice to include the specification of the legal basis for the collected data. You cannot blindly collect personal information without a use case. Many policies around already state the purpose for data collection, but give yours a scan to make sure it’s in there.
Legal basis for collecting information can be…
- Legal obligation
- Vital interests of the data subject
- Public task
- Legitimate business interests
Policies must now not only inform the user of what you will do with their data, but also what they can do. GDPR outlines new data rights afforded to visitors and it is your obligation to make sure that your visitors are aware of these. It doesn’t have to be full legalese, in fact, it’s preferred that your policy be in plain English. The rights are as follows:
First and foremost, data subjects have the right to confirm if controllers in fact process their personal data. Should the answer be yes, subjects may then request the following:
- A copy of the personal data undergoing processing
- Purpose of processing
- In particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance and likely consequences of such processing
- Categories of data processed (e.g., name, address, online browsing behavior)
- Any third party recipients of this personal data, both backward or forward looking, especially recipients in third countries (i.e. countries outside of the EU)
- What safeguards are in place to protect the data being transferred
- Any third party sources of data subject’s personal data (i.e. not collected from the data subject directly, for instance by purchasing said data from another source that previously collected the data directly)
- How long such personal data would be stored, or if that’s not determinable, how the length of this period would be determined
- The existence of the rights to:
- Restriction of processing
- Objection to processing
- Complain to a supervisory authority
Ta-Da! You’re GDPR ready.
New regulations can sure seem like a confusing hassle, but as you can see there’s only a few extra steps to bring your old policy into compliance.
As a quick recap, you’re compliant if you:
- State if you’re the controller or processor.
- Explicitly state data collected, and it’s legitimate purpose
- Inform the subject of their data rights
- Provide contact details (in extreme cases, also designate a Data Protection Officer)
- Receive explicit consent on forms
And there you have it, five steps to avoid a legal nightmare!
Still curious about data protection? Contact our marketing agency in downtown Vancouver, we’ll be happy to point you in the right direction. Feel free to call or visit – we always have chocolate 😉