What is GDPR and how does it affect me?
You have probably heard about it – GDPR, aka ‘General Data Protection Regulation’, is a new European Union directive that is coming into effect on May 25, 2018. Its purpose is to unify data privacy requirements across all member states of the European Union (EU) and at its core it is a regulation that gives EU residents more control over how their personal data is used (which is way overdue as the last directive on this topic was from 1995).
What does that have to do with my Canadian business?
The key differentiator from GDPR to other data protection laws is that it is extraterritorial. What this means is that it is not tied to whether or not you have an office in the EU and you treat with EU residents directly. Regardless of where you are located and whether you are B2B or B2C, GDPR applies if you treat and collect personal data of an identifiable EU citizen.
What data is covered under GDPR?
GDPR refers to ‘Personal Data’, or any data related to an identified or identifiable person. This can include:
- Personal information (name, email address, phone number, etc.)
- Online activity (IP address, pictures/posts on social media, cookies)
- Important records (medical information, bank details)
What should I do to prepare?
If you do direct business with EU citizens and/or have a location in the EU, you should ensure that you are 100% compliant to avoid massive fines. If you do not have any EU clients or offices, GDPR could still apply to you, but the risk of you coming into contact with it will be much lower.
There are no specific how-to’s outlined within the directive, but there are requirements set. When looking to be GDPR compliant, there are 4 key areas that are worth reviewing for your business:
The good news for Canadians is that with PIPEDA & CASL, we already have a fair amount of directives in place that support you in being GDPR compliant. CASL and GDPR are really similar when it comes to consent. Ensure you tick the following boxes when collecting contact information:
- Have a double opt-in (and keep a record of it)
- Ensure there is expressed consent (i.e. don’t pre-fill tick boxes)
- Include a specific description of what you will be contacting them about
- Collect only relevant personal information
2. Right to be Forgotten
The largest difference between CASL and GDPR lies within the opt-out. Under GDPR you have the ‘right to be forgotten’. Which means, when requested by the user, you need to be able to completely erase a person and all their data from your database and all 3rd party vendors (i.e. CRM, Marketing Automation, etc.)
3. Data Breach Notification
If, for whatever reason, there has been a data breach and personal information has been leaked or damaged, you are required to notify all affected subjects within 72 hours of detection. Additionally you have to notify the relevant authorities.
4. Data Protection Officers (DPO)
If your business works with personal data on a large scale, you are obligated to appoint a Data Protection Officer. This person should be independent from all data collection and processing and will be responsible for the creation and implementation of all related internal policies.
When in doubt, we recommend you to consult a legal entity to identify best next steps.
If you have any differing thoughts, or items to add, or simply want to talk about this in more detail, please get in touch!