THE SMALL BUSINESS IMPACT OF GDPR

On May 25th, 2018, the General Data Protection Regulation (GDPR) will come into effect across the EU, with global implications. Canadian organizations – from start-up to enterprise – that do business with the EU or have an online presence that markets to EU customers must ensure policies for managing EU-based personal data will be GDPR compliant.

Click here to register a webinar by top data protection lawyers. It will also give you template for your business: email, privacy notice, etc. Worth to check it out. 

While the GDPR is only applicable to EU residents, Canadians are knowledgeable about their privacy rights too, and cautious about the perceived threat of new technologies. According to the 2016 Survey of Canadians on Privacy prepared for the Office of the Privacy Commissioner of Canada, the vast majority of Canadians (92 percent) expressed some degree of concern about the protection of their privacy. In an age of virtually instantaneous information-sharing, protecting personal data is a priority for many people, regardless of the country in which they live.

Businesses large and small need to be prepared for the impact the GDPR will have on how they do business and exchange information with customers. However, a recent global survey by Commvault reveals that only a small percentage of organizations (12 per cent) believe they will be compliant with GDPR by the deadline.

With less than 30 days to go, here are ten everyday workplace activities that should be considered more carefully from May 25th onward.

Celebrating Office Birthdays

An individual’s date of birth is their own personal data. Under the GDPR, it cannot be shared without express consent by the individual. So it is worth checking that you have everyone’s permission to host a shared calendar of birthdays in the office.

Sending Greeting Cards

If you were planning to send holiday greeting cards to your customers, you might want to think twice. If the cards will include individuals’ home addresses, make sure to acquire consent of the individuals in advance. If you do not have express consent to contact each customer, a different legitimate basis must be established for each business communication you send. So, it may be for the courts to decide the business legitimacy of sending season’s greetings.

Sharing Baby Photos

Think carefully before sharing baby photos with international colleagues. Personal data can only be transferred internationally if the country has been designated by the EU as providing an adequate level of data protection or by complying with an approved certification mechanism such as the EU-US Privacy Shield. Of course, if the sharing of a baby photo is deemed a purely personal activity, then it can be argued to fall outside of the scope of the GDPR.

Catering for Allergies

Do you have colleagues with nut allergies? Or perhaps they have kosher or halal dietary requirements? Sorry to say but these are all classed as personal data. So, before you call a restaurant or caterer, make sure you have your colleague’s permission to share their personal information with others.

Sharing Resumes for a Second Opinion

Not sure about a potential candidate for a role in your organization? Keep in mind that a resume contains personal data before sharing it for a second opinion. Of course, you could argue that it would be reasonable to share a resume of an applicant with others in the company on a need-to-know basis. However, an easy way to get a second view of a resume is to make it anonymous, by removing the name, address, phone number and any other identifiable information. This is also becoming a growing trend among businesses as part of an approach to remove gender and race bias in recruitment.

Joining a Mailing List

Does your website registration form have a pre-ticked box for customers to receive marketing information from third parties? You might want to rethink that come May 25th. Under the GDPR, silence, pre-ticked boxes and inactivity will no longer suffice as consent. You may also want to read through your privacy terms online, as any request by a business for consent to use personal information must be intelligible and in clear, plain language.

Talking Politics at Work

Political opinions are part of a special category of personal information, and organizations cannot record or process data about this type of information. So, if you were planning a company webcast about a forthcoming election, it may be best practice for a speaker to preface any comments with the phrase “I expressly consent to share this information about my political opinions”.

Calling in Sick

Health information is also part of that special category of personal information. Therefore, if you need to call in sick one morning to address a medical condition, you can’t then return to your sickbed and hope that the message will be passed on unless you have expressly consented for that information to be shared with every person who needs to be told. Alternatively, an individual can personally share that information themselves.

Data Auditing

Under the GDPR, an organization needs to have a designated person responsible for data protection matters, and in some cases, a company may need to formally appoint a Data Protection Officer before carrying out any large-scale processing of personal data. The appointed individual would be responsible for raising awareness of data protection regulations in an organization, training staff and managing audits of data processes.

Managing Data Breaches

If your business suffers a data hack, you’ve got to think quickly about alerting people. Under the GDPR, if personal data is accidentally or unlawfully lost, destroyed, altered or damaged, it needs to be reported to the supervisory authority within 3 days. And it’s not just the relevant authority that needs to be notified, all individuals impacted need to be informed too if it is likely to result in financial loss, identity theft or fraud.

Article Source

10 Steps to Preparing Your Business for the GDPR (General Data Protection Regulation)

by Susan Friesen

Even if Your Business is Not Located in the EU

The General Data Protection Regulation is a new set of rules amended to the current Data Projection Act that will soon be mandated for those businesses dealing with European consumers.

On May 25, 2018 the regulation insists on safeguarding the personal information of all citizens of European Union member states. While many businesses are already aligned with the specifications, it's important to make sure your business has everything covered.

This article takes a look at what you need to have in place in order to avoid being found in violation of the GDPR.

The truth is these new rules are aimed at large companies who deal in information as a source of revenue. Smaller businesses aren't likely to be penalized the 4% of worldwide gross or 20 million Euros that large corporations will if they're found in violation.

If you're worried about having a mountain of work ahead of you to prepare, you shouldn't be. If you're unsure if you will be affected look for these key signals:

1. You deal in information as a commodity;

2. You request user's data when they complete a purchase and use the data elsewhere or store it;

3. You deal with one or more European countries.

If the answer is no to both then you will be fine!

So what can you do just in case?

Here's 10 steps your business can take to be best prepared for the GDPR, even if you are not physically located in the EU.

1. If your website has an online form that incudes a pre-checked box giving permission to receive promotional emails from 3rd parties, this box now needs to be unchecked.

2. If your business conducts any form of list-building, ensure everyone on that list has given explicit permission to be in it. Under the Canadian PIPEDA, it was enough to have implied permission; however, if any EU residents are in your database, the rules are much more firm that provides subscribers with the right to obtain the information stored on them.

3. Make sure your entire staff is aware of the new rules. Circulate a memo to all personnel with a follow-up meeting where the points are reviewed. Asking a few questions to key players whose roles would be most affected by the new rules is a great way to ensure they're aware of what they need to do.

4. Audit all stored client/customer info and track where you got it from and where it's been used. Keep a record of every bit of info and who you may have passed it to at any time, and document the relationship and reasoning.

5. Update your privacy policy so it includes the reasoning for retaining any user data, how it is legally used, and how users can contact your business if they feel their user information is in any way being misused.

6. Have a clear method in place to address requests for erasing a user's data. Under the DPA, users already had certain rights but the GDPR takes it further with information rights pertaining to their data stored by your business.

The rights consist of:

• the right to be informed

• the right of access

• the right to rectification

• the right to erasure

• the right to restrict processing

• the right to data portability

• the right to object

• the right not to be subject to automated decision-making including profiling

You will need to be able to provide all this information in a clear and machine-readable format (not in hand writing).

7. Have a process in place for handing over large volumes of requests. Previously under the DPA businesses had 40 days to comply with a request. That has been shortened to one month. Any lawful request must be fulfilled though if there are a large number of requests and the suspected reasoning is to cause problems for your business then these requests can be contested legally.

8. Have your lawful reasoning for retaining user data or passing to others clearly stated for users and ensure the opt-in option is not pre-ticked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they must have the option to say no. This is separate from Terms and Conditions.

9. If your business deals with anyone under the age of 16 then you'll need a parent or guardian's permission to process any of the child's data. This is very important and strictly regulated but at the same time if you're not dealing in information as a commodity then you're likely not going to have to worry.

10. Have steps in place to address a data breach. In the event that user's data may be compromised you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.

Click here to register a webinar by top data protection lawyers. It will also give you template for your business: email, privacy notice, etc. Worth to check it out. 

And that's it! As you can see it's a big business problem and more so rooted in user protection in Europe where social networks have been cited as problematic and susceptible to foreign influence.

North America is not really affected much but the issue is still very newsworthy, which can make some small business owners nervous when they don't need to be. In saying that, this article from Small Business BC https://smallbusinessbc.ca/blog/the-small-business-impact-of-gdpr/ points out some seemingly harmless potential data breaches that could put you at risk of violation such as sending out greeting cards to customers living in the EU.

Susan Friesen, founder of the award-winning web development and digital marketing firm eVision Media, is a Web Specialist, Business & Marketing Consultant, and Social Media Advisor. She works with entrepreneurs who struggle with having the lack of knowledge, skill and support needed to create their online business presence.

Article Source: http://EzineArticles.com/9938974