On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force. This law creates new obligations for Canadian businesses who collect or handle personal information about people living in the European Union (EU).
We’ve briefly summarized what you need to know about the GDPR in Canada from our perspective as digital marketers. Keep in mind that we’re marketing geeks, not lawyers — but we do hope this information provides a good starting point.
What is the GDPR?
The GDPR lays down rules on the protection and movement of Europeans’ personal data both within and outside the EU. It aims to harmonize the laws on data privacy in line with the European Charter of Fundamental Freedoms, which gives EU citizens certain rights regarding their personal data.
The regulation came about back in 2016, but it does not come into force until May 25th, 2018. As that ‘deadline’ approaches, it’s no surprise many Canadian businesses are wondering whether the GDPR applies in Canada and, if so, what they need to do about it.
The short answer is yes: if you do business in the European Union, it’s likely the GDPR will apply to you, even if you’re based in Canada.
We’ll go into more detail about what that means next.
What Does the GDPR Do in Canada?
The GDPR regulates how businesses handle personal information about individuals who reside in the European Union. That includes the business’s European customers, employees, associates, and others on whom the organization collects data.
As a Canadian business, you must follow the GDPR when collecting personal information from European citizens if you:
- Have an establishment in the European Union.
- Offer goods or services to people in the European Union
- Monitor the behaviour (including online behaviour) of people in the European Union.
How to Handle Personal Data Under the GDPR
Personal data includes any information that relates to an identifiable person, like a name, surname, I.D. number, or home address. It also includes aspects of an individual’s digital footprint, like their email address, IP address, or cell phone location data.
If your business has an online presence, chances are that you collect at least some data that falls under the category of personal data.
The GDPR establishes six main principles on how businesses (including Canadian businesses) should handle personal data:
- All data must be collected and processed lawfully, fairly, and in a transparent manner. In most cases, you may only collect or process someone’s data after obtaining consent to do so (more on that in the next section).
- You need a specific, legitimate, lawful reason to collect data. No hoarding personal information ‘just because’. If you’re going to collect data, you have to do it with a specific purpose in mind!
- You must limit your data collection to what is necessary to fulfill your purpose. In other words, don’t take more data than you need. If all you need is a name and an email address, don’t ask for a phone number as well.
- You have an obligation to keep the data accurate and up-to-date. Have measures in place to avoid keeping false or outdated information.
- You cannot keep data for longer than is necessary to fulfill your purpose. Once you’re done with it, destroy it.
- You are responsible for data security. If you store the data on an IT system, you must ensure only authorized parties can access it; if you keep physical copies, keep them in a secure location. You also have an obligation to inform people in the event of a data breach.
What is Consent to Collect Personal Data?
Consent is one of the major areas where the GRDP differs from Canada’s federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Whereas PIPEDA in many cases allows for implied consent, the GRDP is strict about when and how businesses should get permission to use someone’s personal information.
As a business, you must obtain clear, affirmative consent in order to collect and process personal data, meaning the person actually has to indicate their permission somehow. For example, an opt-out system like a pre-checked box on a web form not constitute consent.
Consent must also be freely given, specific, informed, and unambiguous. The person you’re asking must know who you are and what you plan to do with the data, and that they can refuse or withdraw consent at any time.
For children under 16, you must obtain consent from the child’s parent or guardian.
How Canadian Businesses Can Prepare for the GDRP
To reiterate, the GRDP mandates that all businesses who operate in the EU, offer goods and services to EU citizens, or monitor the behaviour of EU citizens must follow the rules for data protection in the GRDP. That includes Canadian businesses. If you do business with Europe, it’s incumbent on you to prepare for the GDRP now.
The exact steps you take will depend on how you operate, but the following are good starting points:
- Review your current policies and processes on data collection. What do you collect, and why? Do you obtain and record consent?
- Create new boilerplate contract clauses that meet the law’s requirements. Consult with your lawyer on this one. If you run an e-commerce website or have automated communication with European customers, it’s essential that your agreements fall in line with the new regulation.
- Start keeping records. You will have to be able to prove you have taken steps to follow the law if ever called into question.
- Decide how to approach the ‘ask’. People might not be willing to hand over their personal data unless you offer them a good reason to. Think about what you can give your customers in return for their consent.