The European Union’s General Data Protection Regulation (GDPR) has come into effect, which also impacts businesses outside of the EU that collect or use the personal information of EU residents. Canadian businesses with EU customers or clients are affected, and the GDPR requires some significant changes from most of these businesses.
Canadian businesses are used to generating their data policies and processes based on the Personal Information Protection and Electronic Documents Act (PIPEDA). Some of the GDPR’s new regulations are shared with PIPEDA, meaning Canadian businesses are already on their way to compliance. For example, GDPR will have businesses create documentation on their data policies and procedures, and record how they’ve used their data. Canadian businesses were already required to do this under our own government regulatory bodies.
How is The GDPR Different from PIPEDA?
While PIPEDA encourages businesses to report any data breaches they’ve encountered and notify their customers, GDPR demands businesses to report the breach within 72 hours.
Further, while businesses are used to recording their data and customer information, they aren’t used to GDPR’s requirement that they determine if their use of data is both “necessary” and “lawful.” The GDPR defines several different lawful justifications for use of a customer’s personal information. For example, the customer has given clear consent, you need to use data to fulfil your legal or contractual obligations, or you may be pursuing “legitimate interests” for your business.
Rights Under The GDPR
The GDPR also extends several rights to EU citizens relating to data privacy. Some of these rights align with the spirit of PIPEDA, or the letter of the law. The rights include:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling.
Many of these rights are familiar to Canadian businesses. The right to be informed about how one’s data is used, to access that data, and to have that data erased (also known as the right to be forgotten) are straightforward. Others, such as the right to restrict processing, are more complicated. Under this aspect of the law, a customer can ask you to not use their data in your processing, while still allowing you to store the data. There are special circumstances where you can refuse this request, but either way, a business has one month to respond to such requests.
Will Your Business Face Sanctions?
The fines levied by the EU over the GDPR may be hefty, up to 30 million dollars Canadian. According to the CBC, small and medium-sized businesses won’t necessarily have reduced fines based on their size. On the other hand, it’s likely regulators won’t prioritize small and medium-sized Canadian businesses unless a complaint is lodged against you. The good news is you still have time to ensure all your policies are compliant.
At Direct Response Media Group, we understand the importance of privacy laws and PIPEDA regulations. Your company and client information is continuously secure and safeguarded so you can better understand consumer behaviour and analytics. We ensure your marketing campaigns are always compliant and follow government guidelines. Let us help you grow your business. Contact us for more information on how we can help you reach more customers in your area!