GDPR for Canadian Companies

As a business-owner, you likely have some awareness of the Canadian Anti-Spam Legislation (CASL), which came into effect July 1st 2014. In this article we discuss General Data Protection Regulation (GDPR) for Canadian companies.

As a quick background on CASL, when it was introduced it broke records for being the toughest law in the world protecting consumers from email spam. It put in place stringent measures to prevent companies from sending electronic messages to you without your consent – and a host of other consumer protections which were much needed. Businesses then had to carry out an audit of their various email and other lists, and set about putting in place measures to respect consumers wishes about being contacted by them.

Here we are four years later and another huge regulations step is being taken – this time in Europe – to provide even more protections to consumers. It was passed into European law in May and you as a Canadian business may have to comply with this with this new set of regulations dealing with the way we communicate with our target audiences, customer base, and followers.

If you want to find out more about GDPR for Canadian companies, you’ve arrived at the right place! This is a quick fire introduction to GDPR for Canadian businesses who have been living with Canada’s Anti-Spam Legislation (CASL).

So, buckle up, and get ready to learn more about the EU’s new digital privacy laws, how they differ from CASL, and why they might relate to your business.

What is GDPR and why was it introduced?

GDPR is the formalization of the EU’s spam and privacy laws. Before its introduction on 25th May 2018, each EU country was open to interpret the laws in their own way, which naturally, led to confusion throughout the EU. You can find all the official legal information regarding GDPR on their website.

GDPR isn’t restricted to email related laws, but also covers digital cookies and personal data. For example, the way in which organizations store, use and manage personal information such as names, addresses, social handles, and more, is all in question.

How does GDPR differ from CASL?

Firstly, if you want to brush up on your knowledge of CASL, check out all the official information. This chart below provides an overview of the differences:

Differences between GDPR and CASL
Differences between GDPR and CASL. Source: https://www.maximizer.com/blog/can-spam-casl-gdpr-difference/

In short, GDPR is far more stringent than CASL, so you need to be prepared for it. If your website is receiving traffic from users within the EU who could be ‘cookied’ by your marketing automation or personalization software, you need to have proper measures in place to adhere to GDPR.

What’s the penalty you might ask? Well, GDPR fines can be as high as €20 million or up to 4% of your businesses annual global revenue, should you cause an offence – whichever is greater. With CASL, the maximum your organization could be fined was $10 million (excluding individual fines for directors, etc).

For a full comprehensive review of how GDPR will affect your business we’d recommend speaking to your legal team or qualified legal advisor, but a few key things to look out for are:

  • With GDPR any organization AND third parties who are relying on consent must be named
    This just means that whoever will have access to your data must be named. For example, check out PayPal’s list of third parties (as of April 2018)
  • Even precisely defined categories of third-party organizations are not accepted under GDPR
    Pretty straightforward – you must name any third-party organizations. Detailing them without naming, e.g., Financial services organization with 74 employees based at 100 Main Street isn’t going to cut it.
  • Communications recipients of emails can opt out at anytime and their request must be answered promptly
    Delaying your response to an unsubscribe request (accidentally or deliberately) is a breach of GDPR. For example, if someone opts out, you should have confirmed that request within good time – as quickly as possible, basically!
  • Communication recipients now have the right to be ‘Forgotten’ and to ‘Data Erasure’
    For example, if someone wants to be removed from your records for whatever reason, they now have the right to request that and you must approve it.
  • Parental consent must be provided for children under the age of 16
    A great example here would be an game or application that an under 16 year old signs up to play on their phone. The app needs to obtain parental consent from their parent/guardian.

These are just a few of the key differences between GDPR and CASL, most of which are extensions of pre-existing CASL regulations.

GDPR for Canadian companies: what should you do now?

First and foremost, the best thing you can do is run an audit on the data you’re holding about consumers, and check who is visiting your website and where from. If you have Europeans on your email, customer or other lists then the new laws apply to your business.

Getting permission is key, so review your online marketing offers and requests to ensure that you are clear with what you are asking permission for. For example, literally ask the user in plain English if they want to receive additional emails relating to your company offers, and leave the checkbox unticked as default. Ambiguity can be interpreted as non-compliance.

We alluded to the fact that the fines for breaching GDPR for Canadian companies, and all companies charged, are hefty, so don’t get caught out for a lack of attention to detail when it comes to the new EU digital privacy laws.

So now that you understand the importance of GDPR for Canadian companies, what will be your next step? Let us know!