What is GDPR and how does it affect me?

You have probably heard about it – GDPR, aka ‘General Data Protection Regulation’, is a European Union directive that came into effect on May 25, 2018. Its purpose is to unify data privacy requirements across all member states of the European Union (EU) and at its core it is a regulation that gives EU residents more control over how their personal data is used (which was way overdue as the last directive on this topic was from 1995).

What does that have to do with my Canadian business?

The key differentiator from GDPR to other data protection laws is that it is extraterritorial. What this means is that it is not tied to whether or not you have an office in the EU and you deal with EU residents directly. Regardless of where you are located and whether you are B2B or B2C, GDPR applies if you collect and process personal data of an identifiable EU citizen.

What data is covered under GDPR?

GDPR refers to ‘Personal Data’, or any data related to an identified or identifiable person. This can include:

• Personal information (name, email address, phone number, etc.)
• Online activity (IP address, pictures/posts on social media, cookies)
• Important records (medical information, bank details)
• Biometric and genetic data
• Racial or ethnic origin, political opinions, religious beliefs

What should I do to prepare?

If you do direct business with EU citizens and/or have a location in the EU, you should ensure that you are 100% compliant to avoid massive fines. If you do not have any EU clients or offices, GDPR could still apply to you, but the risk of you coming into contact with it will be much lower.

There are no specific how-to’s outlined within the directive, but there are requirements set. When looking to be GDPR compliant, there are 4 key areas that are worth reviewing for your business:

1. Consent

The good news for Canadians is that with PIPEDA & CASL, we already have a fair amount of directives in place that support you in being GDPR compliant. CASL and GDPR are really similar when it comes to consent. Ensure you tick the following boxes when collecting contact information:

• Have a double opt-in (and keep a record of it)
• Ensure there is expressed consent (i.e. don’t pre-fill tick boxes)
• Include a specific description of what you will be contacting them about
• Collect only relevant personal information

2. Right to be Forgotten

The largest difference between CASL and GDPR lies within the opt-out. Under GDPR you have the ‘right to be forgotten’. Which means, when requested by the user, you need to be able to completely erase a person and all their data from your database and all 3rd party vendors (i.e. CRM, Marketing Automation, etc.)

3. Data Breach Notification

If, for whatever reason, there has been a data breach and personal information has been leaked or damaged, you are required to notify all affected subjects within 72 hours of detection. Additionally you have to notify the relevant authorities.

4. Data Protection Officers (DPO)

If your business works with personal data on a large scale, you are obligated to appoint a Data Protection Officer. This person should be independent from all data collection and processing and will be responsible for the creation and implementation of all related internal policies.

When in doubt, we recommend you to consult a legal entity to identify best next steps.

Overall, it cannot hurt to showcase you have the right intent. Perform an audit of your current processes, ensure your privacy policy on your website is updated, review if your third party vendors are aware of GDPR, etc. GDPR is instilling a new global data protection standard and to avoid complaints, be compliant.

If you have any differing thoughts, or items to add, or simply want to talk about this in more detail, please get in touch!

Understanding GDPR compliance for your business

GDPR applies to any organization that processes EU citizens’ personal data, regardless of where that organization is based. This extraterritorial reach means Canadian businesses need to understand their obligations if they serve European customers or website visitors.

The regulation sets high standards for data protection. Organizations face fines up to €20 million or 4% of global annual turnover (whichever is higher) for serious violations. These penalties make compliance a business priority, not just a legal checkbox.

How GDPR affects Canadian businesses

Canadian businesses already familiar with PIPEDA and CASL have a head start on GDPR compliance. These regulations share similar principles around consent and data handling. However, GDPR goes further in several areas.

The regulation requires businesses to demonstrate compliance, not just claim it. You need documented processes for handling data requests, breach notifications, and consent management. Many businesses underestimate the administrative work involved in meeting these requirements.

Key compliance requirements

GDPR establishes clear rules for data processing. You must obtain explicit consent before collecting personal data. You need legitimate reasons to process this data. You must allow users to access, correct, or delete their information upon request.

Your privacy policies need to explain in plain language what data you collect, why you collect it, and how you use it. Technical jargon and legal speak don’t meet GDPR’s transparency requirements. Users should understand your practices without a law degree.

Data mapping and vendor management

You need to know where EU citizen data lives in your systems. This includes your CRM, email marketing platform, analytics tools, and any other service that touches customer information. Each vendor in your stack needs to be GDPR compliant.

Review your contracts with third-party service providers. Ensure they include data processing agreements that meet GDPR standards. Your compliance depends on their compliance – you remain responsible even when you outsource data processing.

Practical steps for GDPR compliance

Start with a data audit. Document what personal data you collect, where you store it, who has access to it, and how long you keep it. This audit forms the foundation of your compliance program.

Update your consent mechanisms. Remove pre-checked boxes from your forms. Add clear descriptions of how you’ll use the data. Implement double opt-in for email subscriptions. Keep records of when and how users gave consent.

Create a process for handling data subject requests. EU citizens can request access to their data, request corrections, or ask for deletion. You must respond within 30 days. Build systems and workflows to meet this deadline consistently.

Breach response planning

Develop an incident response plan before you need it. The 72-hour notification window starts when you detect a breach, not when you finish investigating it. Your plan should identify who needs to be notified, how you’ll communicate with affected individuals, and what steps you’ll take to contain the breach.

Test your breach response plan regularly. Run tabletop exercises with your team. Identify gaps in your processes before a real incident exposes them.

When you need a Data Protection Officer

Not every business needs a dedicated Data Protection Officer. GDPR requires a DPO when you process large amounts of sensitive data, conduct regular systematic monitoring of individuals, or you’re a public authority.

If you do need a DPO, this person acts independently from your marketing and operations teams. They monitor compliance, conduct audits, serve as the point of contact with regulators, and advise on data protection impact assessments.

Moving forward with GDPR

GDPR compliance isn’t a one-time project. Data protection practices need ongoing attention as your business evolves, you add new tools, or regulations change. Regular audits help you catch issues before they become problems.

Strong data protection practices benefit your business beyond avoiding fines. Customers increasingly value privacy. Clear communication about data handling builds trust. Streamlined data management reduces security risks and operational complexity.

Need help assessing your GDPR compliance requirements? Contact us to discuss how data protection regulations affect your specific business situation.