Managing customer data is always a concern for small businesses, and most Canadian companies make an honest effort to keep it safe. Starting on May 25, 2018, if you have customers in the European Union, data privacy is about to become a bigger issue than ever before. That’s because the EU is implementing a new set of privacy rules that apply to every entity doing business with citizens of member countries. It’s called the General Data Protection Regulation, and if your database isn’t compliant, you could be looking at fines hefty enough to put you out of business in Europe. It’s well worth your time to look at this rule to ensure your company is up to the new standards.
What Is the GDPR?
The GDPR is a set of regulations adopted by the EU Council to help standardize and improve the safety EU-member citizens enjoy when dealing with businesses. Taken together, the rules the Council adopted create several new protections for EU nationals, and the laws have real teeth for administrative enforcement. The rules apply to just about any private entity that handles citizens’ information, and the definition of "information" is pretty broad. In theory, your social media app could get in trouble if it loses control of a digital photograph — even with no name attached to it — of a French or German citizen. Under the rules, any data at all that could be traced back to an identifiable person in the EU is subject to control.
The GDPR goes way beyond internet privacy to enforce a culture of data privacy that works on every level of your company. Of the GDPR’s 99 list items, only eight address online databases, such as domain servers or cloud storage. Most of the other 91 rules touch on how your company handles data internally in any form. What this means is that if your company keeps paper files on its customers, and just one lives in Greece, Spain, Romania, or any other EU member state, you’d better have locks on your file cabinet and a schedule for shredding old files. You’re also required to keep records and report on compliance if you want to sell syrup to Ireland, bacon to Belgium, or banking services to Austria.
Why Did the EU Adopt the GDPR?
Compliance Standards for Canadian Companies
If all this seems like a bit much for a Canadian small business to handle, relax — Canada already has strong privacy laws that harmonize well with the GDPR. In Canada, the relevant law is the Personal Information Protection and Electronic Documents Act. If you’re in compliance with PIPEDA, you’re close to being good with the EU’s rules. One twist is that gathering or processing information that belongs to someone under age 16 now requires parental consent, though individual member states can lower that age down to 13. You might also have to appoint a data protection officer who monitors and controls compliance with the GDPR, but only if:
- You operate a public entity, such as a utility company or housing authority
- You harvest large amounts of data as part of a "systematic monitoring" program, the way an ad server does
- Your company handles sensitive information, such as credit data and health records
Consequences for Violators Can Be Stiff
As complicated as the GDPR’s 99 line items can get, it’s really worth it to get compliant. Companies that do business with EU citizens and violate any of the law’s provisions can find themselves on the receiving end of serious fines. These fines can rise as high as 4% of your company’s global annual revenue, or up to 20 million Euros. Say you do the bulk of your business in Canada and the States — around $10 million a year — and just a minority of your trade in an EU member state, such as Slovakia. If you sell a Slovakian a set of cutlery, for example, and release the customer’s mailing address to a third party, your global $10 million business could be struck with a $400,000 fine.
Given the stakes, it’s no wonder information companies around the world are moving to keep up with the GDPR. Microsoft has a team of 300 engineers working on its data privacy systems and automated IP harvesting algorithms to prepare for the May 25 deadline. Google, YouTube, Facebook, Twitter, international banks, and many more entities are preparing likewise.
Doing business in the EU is a big part of many Canadian small businesses’ income. After the GDPR goes into effect, the rules for interacting with EU nationals stand to get tighter than ever before. Canadian firms, already in compliance with PIPEDA, are uniquely well-positioned to make a smooth transition into the new world of European data privacy.