One Week Left Until GDPR

Chances are if you’ve used the internet this past month (and chances are you have?) you’ve become well aware that anywhere and everywhere, privacy policies are changing. Why is that?

Well, at the end of next week, May 25th, the European Union will begin enforcing GDPR, the General Data Privacy Regulation. But that’s over in Europe, so nothing to worry about here in Canada, right? Not quite. Even if you’re a Canadian company targeting Canadian customers, the internet is international business. Incidentally, Europeans still might make their way to your website, and so it’s safe to bet on GDPR compliance, no matter where you’re located.

As we made updates to our own privacy policy, we highlighted the changes below so that you can bring your own policies up to speed.

Are you a Data ‘Controller’, or Data ‘Processor’?

The first change you’ll have to make to your policy is right in the introduction. GDPR requires that you define whether you are the controller or the processor of data. It might sound like some jargon, but the distinction is fairly simple. If you only determine the purposes for data collection and processing, you’re the controller. On the other hand, if you process data on behalf of the controller (such as storing data on a server, or performing analytics) then you are the data processor. In our case, Google performs our analytics, and MailChimp handles our mailing list, therefore we are the data controller. This is likely the case for your company as well. Simply state in your policy’s introduction whether you are a data controller or processor.

Information Collected and Legitimate Interest

GDPR requires that all types of data you collect be explicitly stated in your policy. For most policies this is already the case, so not too much to worry about here. However, the regulation extends this common practice to include the specification of the legal basis for the collected data. You cannot blindly collect personal information without a use case. Many policies around already state the purpose for data collection, but give yours a scan to make sure it’s in there.

Legal basis for collecting information can be…

  • Contract
  • Legal obligation
  • Vital interests of the data subject
  • Public task
  • Legitimate business interests

Your Rights

Policies must now not only inform the user of what you will do with their data, but also what they can do. GDPR outlines new data rights afforded to visitors and it is your obligation to make sure that your visitors are aware of these. It doesn’t have to be full legalese, in fact, it’s preferred that your policy be in plain English. The rights are as follows:

First and foremost, data subjects have the right to confirm if controllers in fact process their personal data. Should the answer be yes, subjects may then request the following:

  1. A copy of the personal data undergoing processing
  2. Purpose of processing
    • In particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance and likely consequences of such processing
  3. Categories of data processed (e.g., name, address, online browsing behavior)
  4. Any third party recipients of this personal data, both backward or forward looking, especially recipients in third countries (i.e. countries outside of the EU)
    • What safeguards are in place to protect the data being transferred
  5. Any third party sources of data subject’s personal data (i.e. not collected from the data subject directly, for instance by purchasing said data from another source that previously collected the data directly)
  6. How long such personal data would be stored, or if that’s not determinable, how the length of this period would be determined
  7. The existence of the rights to:
    • Rectification
    • Erasure
    • Restriction of processing
    • Objection to processing
    • Complain to a supervisory authority

Right of Access

Contact Details

If people are to enact their data rights, they need a way to reach you. To make sure you’re compliant, include clear contact details such as your full mailing address, phone number, and email. By the way, if you’re collecting emails for a newsletter or contact form, it is now required that your registrants give explicit consent to your policy. To meet this requirement, include a checkbox at the end of any of your forms that reads, “I consent to the Privacy Policy“.

Ta-Da! You’re GDPR ready.

New regulations can sure seem like a confusing hassle, but as you can see there’s only a few extra steps to bring your old policy into compliance.

As a quick recap, you’re compliant if you:

  • State if you’re the controller or processor.
  • Explicitly state data collected, and it’s legitimate purpose
  • Inform the subject of their data rights
  • Provide contact details (in extreme cases, also designate a Data Protection Officer)
  • Receive explicit consent on forms

And there you have it, five steps to avoid a legal nightmare!

Still curious about data protection? Contact our marketing agency in downtown Vancouver, we’ll be happy to point you in the right direction. Feel free to call or visit – we always have chocolate 😉