It has been more than two years since it was set up and it is shaking the web.The General Data Protection Regulation, implemented since May 25, 2018 in Europe, has given european businesses a scare... But they're not the only one. Even outside Europe, you may be concerned by its application.
- How do I know if my business is impacted?
- What does this imply?
- How to comply?
We will try to answer your questions through this article, but we will only share our personal knowledge on the subject by focusing on the digital side. If you need to bring your business into compliance with the GDPR, we advise you to contact a specialized lawyer to help you.
GDPR, what is it?
The General Data Protection Regulation (GDPR) is a law that aims to harmonize the protection of personal data for citizens of the European Union.
This law has 2 major impacts:
- It guarantees EU citizens better visibility and control over their personal data hosted or processed by the various bodies concerned (content of data collected, their nature, reason for collection, how long they will be kept, how are they kept ...)
- It allows users to master the cycle of data renewal, harvesting, transmission, when requested by their owners. In addition, this implies having a perfect knowledge of their organization methodology, to know where and when these data are, and finally, to make their manipulation easier and safer.
Is my website affected by the GDPR?
This regulation applies to any professional body collecting European personal data in the framework of its mission, whatever its domiciliation in the world. Canadian companies based in Europe or offering services used by EU citizens (associations, dating sites, social networks, web hosts, etc.) are no exception.
If your website collects data from EU citizens (either in the analysis, in the contact or in the customer relationship), then you need to bring it in line with the GDPR.
Put my website in compliance with the GDPR
- Do you have a Google Analytics account or other tracker associated with your website?
- Do you have an application form for a newsletter? a contact form? or any other form that asks for at least one name and an email?
- Your site receives a visit from the European Union?
So your site collects personal data submitted to the GDPR. The basic rule with this regulation is transparency. You must set up a few small elements to avoid any administrative or financial problems (the penalties are very high, we'll talk about it below):
- The coordinates of your personal data manager
- The purpose of the collection (analysis, making contact, order processing ...)
- The duration of data storage (knowing that a European citizen can ask you to forget his data at any time you will be obliged to honor)
- A reminder of user rights (opposition, access, modification and deletion)
- The people who can access the data collected (especially when you subcontract or use a subcontractor)
- The security measures put in place in case of problems, hacking, loss ...
Ask for the consent of your users! This step consists for example to add a check box at the end of your forms to inform the collection, its purpose and especially to obtain the proof of the agreement of the user (attention, this box should NOT be checked in advance).
Cookie et traceurs
Learn more about GDPR
If you would like to know more about the GDPR and its relationship with your company, here is some information that can help you better understand this regulation and its impact on you and your organization.
How GDPR works
- Accountability: The organization must ensure that its products or services are in compliance with the GDPR and must be able to demonstrate that it has fulfilled its data protection obligations, in order to meet the requirements and standards of control.
- Privacy by Design: The design of the program, application, service or other, must be done by applying the GDPR rules upstream. Compliance should not be applied after the launch of the product or service.
- Security by Default: This implies to reinforce security in the information system at all levels, whether physical (Hardware) or logical (Software), and to be able to alleviate any security problem quickly and effective.
- Data Protection Officer (DPO): Some companies have the obligation to appoint a data protection officer who will be in charge of managing the various data protection issues and this by ensuring compliance with the GDPR and be the point contact with the supervisory authorities.
- Right of individuals: Companies are forced to set up a means to allow individuals to have a look and a control on their data (they can request a readable copy or even the total erasure of their data). This goes hand in hand with the consent which implies not to imply it as pre-checking a box for example.
- Impact study: The GDPR asks companies to carry out an impact study before launching a new service involving the collection of personal data. The National Commission for Information Technology and Liberty (CNIL - France) has also set up a free and open source software for these impact assessments.
Penalties: In case of non respect of these rules, the EU foresees a big sanction for the violators, applying the biggest sanction among the two following options:
- 4% of global annual turnover
- 20 million euros (equivalent to nearly 30 million Canadian dollars)
In addition, the company will also have to cover all damages and interests to damages suffered for non-compliance with the GDPR following legal action.
Example of sanctions applied to date: In January 2019, Google was fined 50 million euros by the CNIL for lack of transparency and information of users about their personal data. More info here.
If the restrictions imposed by the user may affect the proper functioning of the services or products provided by the companies or organizations, or make the registration in the service obsolete, they may refuse registration to the service, as long as these refusals are justified and not abusive.
In addition, the GDPR only applies to citizens of the European Union (any personal data coming from citizens outside the EU are not subject to it but must be held in accordance with the Law on the Personal Information Protection and Electronic Documents Act (PIPEDA)).
Thanks to the GDPR, every European citizen has the right to request, at any time, all of his data held by the company or organization that holds them, to know for what purpose these data are used and finally to ask they are used with restrictions or even deleted.
It is therefore possible for a European citizen to request that some of this information is not used for advertising targeting, as practiced by Google, Facebook or others.
However, it is important to note that if you are a Canadian citizen, companies collecting your data are not constrained by the law mentioned above. On the other hand, they must respect PIPEDA.
Bring my compagny / organization into compliance with the GDPR
If you need to bring your compagny into compliance with the GDPR, here are some references that can help you in your efforts ( do not hesitate to contact a lawyer if you feel lost ) :
- You can find on the website of the National Commission for Computing and Liberties (CNIL - France) one to comply with the GDPR
- It also provides in order to better organize data collection and their restitution
Put my business in compliance with the GDPR :
If you need to make your company comply with the GDPR, here are some references that can help you in your efforts (do not hesitate to contact a lawyer if you feel lost):
- You can find a complete guide on the website of the Commission Nationale Informatique et Libertés (CNIL - France) to comply with the GDPR
- It also provides free tools to better organize data collection and renditions
Reminder: As specified above, the CNIL also provides free and OpenSource software for impact analysis.
What you must remember
If you have offices in the EU, if you are outsourcing data for a company with customers in the EU, if your website (or other digital service) is available and/or collects data people from European citizens, then you are concerned and you must put your company and your website in compliance with the GDPR (otherwise you risk strong penalties).
- If you need to bring your BUSINESS in line with the GDPR, we have no legal jurisdiction to help you. The information provided in this article is just advice. Please contact a specialist to ensure your compliance.