What's this about the GDPR...?

If you've checked your email recently (and we're willing to bet you have), this probably looks very familiar:

 GDPR emails have reached 100% inbox saturation.

GDPR emails have reached 100% inbox saturation.

The wave of Privacy Policy updates are the direct result of Europe's new General Data Protection Regulation (GDPR), which went into effect today. Businesses, and other organizations, are required to alert their customers or users whenever they update their policies and, surprise surprise, most have done so in the week leading up to the deadline.

So what is it? Canadians will probably liken it to Canada's Anti-Spam Legislation (CASL), which was all the rage a couple of years ago. The GDPR, however, is quite different. While CASL governs the way organizations can send electronic messages, the GDPR doesn't deal with spam, but with the collection, storing, and use of Personally Identifiable Information (PII), which is "any data that can be used to identify a specific individual." And the possible fines for non-compliance are pretty hefty.

If your organization uses a mailing list, sells any services or products online, or even has a website that uses Google Analytics, for example, you've probably been paying attention to the GDPR roll-out and wondering whether it affects how you collect, store, and use all kinds of personal user data. The barrage of emails from tools like MailChimp asking "Are you ready for the GDPR?" may have even been causing you night terrors. (We can relate.) The short answer is, yes, it does affect you, even if you don't operate primarily in Europe. But there's no need to panic just yet.

Despite early reports of major companies like Facebook and Google getting hit with multi-billion-dollar lawsuits on day one (yikes), the general consensus is that most companies, even in the EU, are unprepared for compliance and there's a fair bit of uncertainty around how the new regulation will actually be enforced. If you have relatively few website visitors or customers from the EU, there's even less reason to simply admit defeat and microwave all your hard drives.

 Mr. Robot (?) is not having it.

Mr. Robot (?) is not having it.

All that being said, you should be paying attention and thinking about how you can update your privacy and data collection processes to keep up to date with evolving standards and expectations from the public. It's a very realistic possibility that these new rules are on their way to becoming the global standard. Plus, all those tools you use, from Google Analytics to MailChimp, will be making changes that will affect you.

Disclaimer before we continue: BookNet Canada has zero legal expertise in relation to the GDPR and we're not responsible for any actions you take as a result of reading this blog post. For actual legal advice, consult a lawyer!

So what should you be doing? Here are a few steps you can take to ease your GDPR anxiety:

  1. Lots of people have already written easy-to-read guides to the GDPR, even for businesses in Canada, so we won't repeat it all here. (And we do NOT recommend trying to read the regulation itself.) Read this to get a better understanding of what's happening and what's expected of you.
  2. Take stock of all the ways your organization collects data, including everything from people making purchases on your website to someone giving you their email address while registering for an event. 
  3. For each of these areas, make sure you have express consent or some kind of contract, like a purchase or form submission, that is transparent about how you're going to store and use the data you're collecting (like a Terms & Conditions or Privacy Policy). You also need a legitimate reason for collecting that information, and your customers or website visitors need to be able to request access to the data you have stored, or ask that you delete it. 
  4. Check with all the third-party services you use to collect data, like Google Analytics and MailChimp. They will probably have some documentation you can read about how they're handling GDPR. Review your agreements and settings with each one.
  5. If you update your Privacy Policy, make sure to inform all your users or customers. And if you don't have a policy, definitely consider creating one. But maybe wait until next week to send out that email notice...

We can't promise to ease all your GDPR woes with this information, but it's a place to start. At the end of the day, remember that the regulation's intent is to make it easier for people to control who gets their data and what happens to it, which is an idea we can all get behind, fines or no fines.