GDRP logo

GDPR for Canadian Companies

As a business owner, you likely have some awareness of the Canadian Anti-Spam Legislation (CASL), which came into effect July 1st, 2014. In this article, we discuss General Data Protection Regulation (GDPR) for Canadian companies.

As a quick background on CASL, when it was introduced it broke records for being the toughest law in the world protecting consumers from email spam.

It put in place stringent measures to prevent companies from sending electronic messages to you without your consent – and a host of other consumer protections which were much needed.

Businesses then had to carry out an audit of their various email and other lists and set about putting in place measures to respect consumer’s wishes about being contacted by them.

Here we are four years later and another huge regulations step is being taken – this time in Europe – to provide even more protection to consumers.

It was passed into European law in May and you as a Canadian business may have to comply with this new set of regulations dealing with the way we communicate with our target audiences, customer base, and followers.

If you want to find out more about GDPR for Canadian companies, you’ve arrived at the right place! This is a quickfire introduction to GDPR for Canadian businesses who have been living with Canada’s Anti-Spam Legislation (CASL).

So, buckle up, and get ready to learn more about the European Union (EU)’s new digital privacy laws, how they differ from CASL, and why they might relate to your business.

What is GDPR and why was it introduced?

GDPR is the formalization of the EU’s spam and privacy laws. Before it was enforced on May 25th, 2018, each EU member state was open to interpreting the laws in their own way, which naturally, led to confusion throughout the EU.

You can find all the official legal information regarding GDPR on their website. A handy GDPR beginners guide for small businesses can provide some starter steps particularly if your trading area includes the UK and Europe.

Learn More About Strategy & Consulting

GDPR isn’t restricted to email-related laws, but also covers digital cookies and personal data. For example, the way in which organizations store, use, and manage personal information such as names, addresses, social handles, and more, is all in question.

How does GDPR differ from CASL?

Firstly, if you want to brush up on your knowledge of CASL, check out all the official information. This chart below provides an overview of the differences:

Differences between GDPR and CASL
Differences between GDPR and CASL. Source:

In short, GDPR is far more stringent than CASL, so you need to be prepared for it. If your website is receiving traffic from users within the EU who could be ‘cookies’ by your marketing automation or personalization software, you need to have proper measures in place to adhere to GDPR.

What’s the penalty you might ask? Well, GDPR fines can be as high as €20 million or up to 4% of your business’s annual global revenue, should you cause an offense – whichever is greater. With CASL, the maximum your organization could be fined was $10 million (excluding individual fines for directors, etc).

For a full comprehensive review of how GDPR will affect your business, we’d recommend speaking to your legal team or qualified legal advisor, but a few key things to look out for are:

  • With GDPR any organization AND third parties who are relying on consent must be named
  • This just means that whoever will have access to your data must be named. For example, check out PayPal’s list of third parties (as of April 2018)
  • Even precisely defined categories of third-party organizations are not accepted under GDPR
  • Pretty straightforward – you must name any third-party organizations. Detailing them without naming, e.g., a Financial services organization with 74 employees based at 100 Main Street isn’t going to cut it.
  • Communications recipients of emails can opt out at any time and their request must be answered promptly
  • Delaying your response to an unsubscribe request (accidentally or deliberately) is a breach of GDPR. For example, if someone opts out, you should have confirmed that request within good time – as quickly as possible, basically!
  • Communication recipients now have the right to be ‘Forgotten’ and to ‘Data Erasure’
  • For example, if someone wants to be removed from your records for whatever reason, they now have the right to request that and you must approve it.
  • Parental consent must be provided for children under the age of 16
  • A great example here would be a game or application that an under 16-year-old signs up to play on their phone. The app needs to obtain parental consent from its parent/guardian.
  • A breach notification must be sent within 72 hours of detection of a personal data breach to the supervising authority.

These are just a few of the key differences between GDPR and CASL, most of which are extensions of pre-existing CASL regulations.

How does PIPEDA come into play?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian privacy law that was fully enacted on January 1, 2004 – before the introduction of CASL.

This law covers more areas along the lines of the GDPR requirements. It determined rules to abide by when it came to collecting, using, and disclosing personal information.

The biggest similarity of which is the requirement of explicit consent from the users that their personal information can be disseminated for the purposes provided by the business.

GDPR for Canadian companies: what should you do now?

First and foremost, the best thing you can do is run an audit on the data you’re holding about consumers, and check who is visiting your website and where from. If you have Europeans on your email, customer, or other lists then the new laws apply to your business.

Getting permission is key, so review your online marketing offers and requests to ensure that you are clear with what you are asking permission for.

For example, literally ask the user in plain English if they want to receive additional emails relating to your company offers, and leave the checkbox unticked as default. Ambiguity can be interpreted as non-compliance.

We alluded to the fact that the fines for breaching GDPR for Canadian organizations, and all companies charged, are hefty, so don’t get caught out for a lack of attention to detail when it comes to the new EU digital privacy laws.

So now that you understand the importance of GDPR for Canadian companies, what will be your next step? Let us know!

Suggested Reads For You: