Do you need a GDPR audit? Complaints filed on first day!

It has been one month since GDPR has come into come into existence. So many didn’t even know about it or didn’t pay attention to it until the week prior, even though it has had a two-year transitional period. The lack of awareness and procrastination caused a huge panic and rush to beat the deadline. I admit… I was one of the oblivious and ignorant up until that time. Believe it or not, there are many, many others who still don’t even know what GDPR is – the General Data Protection Regulation, which helps European Union residents gain greater control over how their information is used online.

I covered this in my article last month when I had to sit down and research it:
https://thevirtualsolution.com/gdpr

If you didn’t read it then and you aren’t familiar with GDPR, take a quick read now… because if you have a website, if you use email marketing, if collect or process people’s personal data… it affects your business, even if you have no idea what this new regulation is and even if you think you don’t market to anyone residing in a European Union country.

In getting right to business, the first GDPR complaints were filed on same day the regulation came into effect. Within hours, Google, Facebook, Instagram, and WhatsApp were hit with privacy complaints that cnet.com stated could carry fines of up to $9.3 billion in total.

Google, Facebook, Instagram, and WhatsApp are forcing people to consent to privacy policy and terms, with the alternative being that the service cannot be used if they are not agreed to. While this may seem like a normal practice, this is no longer allowed under GDPR. Someone from a European Union country must be able to deny consent for tracking cookies and to having their data processed and stored for purposes they do not agree with, and you still have to provide them some level of service. It can’t be an all or nothing situation.

None Of Your Business, a privacy-advocacy group in Australia, “is asking regulators in France, Belgium, Hamburg and Austria to fine the companies up to the maximum 4 percent of their annual revenue that the GDPR rules allow, which could potentially add up to a $4.88 billion fine for Google parent company Alphabet and $1.63 billion for each of Facebook, and its Instagram and WhatsApp services.” – cnet.com

Several days later, French digital rights group La Quadrature du Net filed claims against not only Facebook and Google, but also Apple, Amazon, and LinkedIn. According to zdnet.com, La Quadrature du Net “filed seven complaints with French privacy regulator CNIL against the five companies. Google got separate complaints over Gmail, YouTube, and Search.”

Zdnet.com also states, “One of the GDPR’s many novelties is that it allows non-profit organizations to complain about companies’ violations on behalf of those who might be affected. This action adds weight to the complaints, and makes it more likely that they are well formulated.”

I know these are big companies that are facing violations. If you’re reading this, you’re likely a small business compared to them. However, that doesn’t mean you are free from risk.

TheStar.com says that Canadian businesses could face $30 million in fines under the new privacy law.

“‘Anybody that is collecting personal data from European residents – not only citizens – needs to comply with this,’ Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver. ‘That’s equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features,’ she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.

Besides having potentially hefty fines, the GDPR’s scope is also sweeping.

It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.”

I’m not a lawyer, so I wouldn’t even consider trying to give you legal advice.

However, if you can’t or won’t have your lawyer write your privacy policy and thoroughly assess your business for GDPR compliance (I know, it’s expensive), at least DO WHAT YOU CAN to get your business up to speed. You can buy lawyer-created GDPR documents online or create one yourself using resources to help you, and then you can have a lawyer review it and your setup at a later time.

I do think it’s smart to at least try to cover your butt and your business, and make sure you’ve updated your website, your policies, and email marketing practices to show you’re trying to be compliant. Doing nothing at all could land you in a pickle at some point.

Here’s what I’m offering right now.

GDPR Technological Audit & Assessment

I’ll go through your website and do a quick audit to look at what tracking codes and cookies you may have in use, what opt-ins/landing pages you have on your website, your privacy policy, how people are added to your email marketing list and tagged (if applicable), your autoresponder/campaign setup, how your products are connected to your email marketing, etc.

I’ll do an assessment and provide you with a list to let you know what’s missing and what needs to be added, what needs to be modified and updated, what you may want to discuss with or have checked by your lawyer, etc. My assessment is not to be taken as a substitute for legal advice. My recommendations will be from a virtual assistance and technological perspective, based on your current setup and the platforms you have in place, working within any limitations of your chosen email marketing platform (because features and how they deal with GDPR can vary).

This assessment will help you become more aware of what you need to put in place so that you can choose to:

• Implement the changes yourself
• Have an assistant implement the changes
• Consult with a lawyer about your requirements, to write your privacy policy, or to review the wording and setup
• Hire me to implement the technological aspects for you