Actionable GDPR Compliance Advice For Canadian Businesses From Our Lawyers
“GDPR. It’s a 4-letter word that can make life difficult…we’re trying to make it easy for you.”
You’ve probably heard about some new legislation from the EU called the GDPR. It’s so new that a lot of businesses, companies and lawyers are still trying to figure out what it is, who’s responsible, and what complying with it means. Alphabet® decided to spare you hours of internet research and multiple headaches by consulting the experts and going directly to our lawyers at Momentum Business Law to understand what this means for Canadian businesses.
What is the GDPR?
The GDPR is the EU General Data Protection Regulation, and some are calling it the most important change in data privacy regulation in 20 years. It applies to any EU citizen or any citizen who is in the EU (like a travelling Canadian), and all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. So that means these rules still apply to citizens of the EU travelling to Canada.
Essentially, it applies to 99% of businesses and should be complied with by everyone. Now, that level of compliance is where things can get a little tricky, depending on your risk aversion.
PIPEDA vs GDPR
Because we live in Canada (btw, do you have a .CA?), many of the changes and policies in the GDPR are already covered under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
PIPEDA already governs how private sector organizations collect, use and disclose personal information in the course of commercial business. It became law in 2000, and interestingly enough, was intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. PIPEDA covers a lot of ground, but the biggest takeaways are that it requires organizations to:
- obtain consent when they collect, use or disclose their personal information;
- supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
- collect information by fair and lawful means; and
- have personal information policies that are clear, understandable and readily available.
But, even with PIPEDA, there are some gaps that need attention to ensure that you’re complying with GDPR, because you can definitely be sued if you’re not.
GDPR: TOP 3 TAKEAWAYS
There’s a lot of uproar around this legislation, specifically from countries with really relaxed privacy laws (we’re looking at you, USA). But really, there are only three things that Canadian businesses who are already following PIPEDA rules need to do to ensure that they’re following the GDPR rules.
- Requiring users to accept the terms by clicking an ‘Accept’ or ‘ok’ button;
- Requiring users to ‘X’ out of a pop-up box indicating the terms; or
- Stating to users that continued use of the website signals consent and of terms.
If your website performs any sort of data-collection function, you now need to communicate to users if, how and why you are using data via things like cookies, Google Analytics, Facebook pixels, marketing automation software, etc.
3) RIGHT TO BE FORGOTTEN
It’s important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
WHY THIS MATTERS
Under GDPR, organizations in breach of this legislation can be fined up to 4% of annual global turnover or €20 Million (whichever is more) – which is a pretty hefty price to pay for being able to sell someone socks on Facebook or something.
The information contained in this blog post is for general information purposes only and in no circumstance does this information constitute legal advice. We make no representation as to the accuracy, completeness, currentness, suitability or validity of any information in this blog post and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use. All information is provided on an as-is basis. This blog post includes information provided to us by third parties (including our lawyers) and that information may not have been vetted by us. You should consult with an attorney before you rely on this information.