2018-05-15 11:17:44TechnologyEnglishHave a look at the European Union's incoming privacy rules, the GDPR, and determine whether your company is already compliant. Under the...https://quickbooks.intuit.com/ca/resources/ca_qrc/uploads/2018/04/Men-Discuss-Preparations-GDPR-Compliance.jpghttps://quickbooks.intuit.com/ca/resources/technology/small-business-gdpr-compliance/Is Your Business Preparing for GDPR Compliance?

Is Your Business Preparing for GDPR Compliance?

4 min read

Managing customer data is always a concern for small businesses, and most Canadian companies make an honest effort to keep it safe. Starting on May 25, 2018, if you have customers in the European Union, data privacy is about to become a bigger issue than ever before. That’s because the EU is implementing a new set of privacy rules that apply to every entity doing business with citizens of member countries. It’s called the General Data Protection Regulation, and if your database isn’t compliant, you could be looking at fines hefty enough to put you out of business in Europe. It’s well worth your time to look at this rule to ensure your company is up to the new standards.

What Is the GDPR?

The GDPR is a set of regulations adopted by the EU Council to help standardize and improve the safety EU-member citizens enjoy when dealing with businesses. Taken together, the rules the Council adopted create several new protections for EU nationals, and the laws have real teeth for administrative enforcement. The rules apply to just about any private entity that handles citizens’ information, and the definition of "information" is pretty broad. In theory, your social media app could get in trouble if it loses control of a digital photograph — even with no name attached to it — of a French or German citizen. Under the rules, any data at all that could be traced back to an identifiable person in the EU is subject to control.

The GDPR goes way beyond internet privacy to enforce a culture of data privacy that works on every level of your company. Of the GDPR’s 99 list items, only eight address online databases, such as domain servers or cloud storage. Most of the other 91 rules touch on how your company handles data internally in any form. What this means is that if your company keeps paper files on its customers, and just one lives in Greece, Spain, Romania, or any other EU member state, you’d better have locks on your file cabinet and a schedule for shredding old files. You’re also required to keep records and report on compliance if you want to sell syrup to Ireland, bacon to Belgium, or banking services to Austria.

Why Did the EU Adopt the GDPR?

The aim of the GDPR is to protect the citizens of EU member states from hard-to-control privacy breaches and unauthorized information mining. Included in the GDPR is also a "right to be forgotten," which contains rules for deleting potentially embarrassing social media posts or compromising pictures and video. Under the rules adopted, a citizen of Denmark whose IP is harvested by your ad server has a right to be informed of their data capture and a right to request the deletion of any files that could be traced back to them. If you run a video-hosting site, and your algorithm takes down a video from a Polish subscriber for copyright infringement, you’re required to pass that decision by a human being rather than leaving it to an automated system. That Polish subscriber also has the right to appeal your decision and receive a copy of your data privacy policy.

Compliance Standards for Canadian Companies

If all this seems like a bit much for a Canadian small business to handle, relax — Canada already has strong privacy laws that harmonize well with the GDPR. In Canada, the relevant law is the Personal Information Protection and Electronic Documents Act. If you’re in compliance with PIPEDA, you’re close to being good with the EU’s rules. One twist is that gathering or processing information that belongs to someone under age 16 now requires parental consent, though individual member states can lower that age down to 13. You might also have to appoint a data protection officer who monitors and controls compliance with the GDPR, but only if:

  • You operate a public entity, such as a utility company or housing authority
  • You harvest large amounts of data as part of a "systematic monitoring" program, the way an ad server does
  • Your company handles sensitive information, such as credit data and health records

Consequences for Violators Can Be Stiff

As complicated as the GDPR’s 99 line items can get, it’s really worth it to get compliant. Companies that do business with EU citizens and violate any of the law’s provisions can find themselves on the receiving end of serious fines. These fines can rise as high as 4% of your company’s global annual revenue, or up to 20 million Euros. Say you do the bulk of your business in Canada and the States — around $10 million a year — and just a minority of your trade in an EU member state, such as Slovakia. If you sell a Slovakian a set of cutlery, for example, and release the customer’s mailing address to a third party, your global $10 million business could be struck with a $400,000 fine.

Given the stakes, it’s no wonder information companies around the world are moving to keep up with the GDPR. Microsoft has a team of 300 engineers working on its data privacy systems and automated IP harvesting algorithms to prepare for the May 25 deadline. Google, YouTube, Facebook, Twitter, international banks, and many more entities are preparing likewise.

Doing business in the EU is a big part of many Canadian small businesses’ income. After the GDPR goes into effect, the rules for interacting with EU nationals stand to get tighter than ever before. Canadian firms, already in compliance with PIPEDA, are uniquely well-positioned to make a smooth transition into the new world of European data privacy.

Information may be abridged and therefore incomplete. This document/information does not constitute, and should not be considered a substitute for, legal or financial advice. Each financial situation is different, the advice provided is intended to be general. Please contact your financial or legal advisors for information specific to your situation.

Related Articles

What Is Venture Capital?

Your first year of business is bound to fly by. One day…

Read more

Direct or Indirect Cash Flow: Which Is the Right Fit for Your Business?

One of the most important reports you can run to check the…

Read more

Create a Pro Forma Balance Sheet to Aid In Planning

A pro forma balance sheet is a projected standing of what your…

Read more