In this article, we address the most pressing questions about GDPR and how it affects businesses in Canada. We will answer:
What is GDPR?
Where did GDPR come from, and what are the implications?
What does GDPR mean on a strategic and tactical level for Canadian businesses?
Part 1: What is GDPR?
General Data Protection Regulation, or GDPR, is an EU regulation to make it easier for people in the EU to protect their data.
Specifically, it’s a regulation that aims to control the movement of personal data outside the EU. If you’ve ever investigated CDNs, you’ll realize this is something that will impact every company hoping to sell or engage with people in the EU.
After being debated for four years in the EU, GDPR was adopted in 2016 with a two-year transitionary period. This means D-Day for GDPR is right around the corner, on May 25, 2018.
What does GDPR hope to achieve?
The purpose of GDPR is fourfold.
First, it aims to eliminate clunky old data protection laws that are hopelessly outdated and replace them with something that actually makes sense. It will offer both protection to consumers and incentives for companies to follow the rules.
These protections and regulations are in line with the new-found sophistication of data collection and deployment, and they have a large enough scope (and harsh enough penalties) that companies will think twice about skirting the rules.
Second, GDPR will standardize existing regulation, turning what amounts to regulatory patchwork into a more unified regulatory tool.
Third, GDPR aims to clarify what is legal and what is not for organizations who are using EU citizens’ data.
Right now, while there is probably some legal finagling going on with data collection and use, there’s also a legitimate case that it’s difficult to know what is and isn’t allowed for an organization like Google or Facebook.
And finally, GDPR aims to protect consumers by guaranteeing them 10 rights:
The right of transparency and modalities.
The right to be informed.
The right of access.
The right to rectification.
The right to be forgotten.
The right to restrict processing.
The right for notification obligation.
The right to data portability.
The right to object.
The right in relation to automated decision making and profiling.
We’re not going to go into great detail about each of these, but the basic principle is this:
Consumers, businesses, and enterprises have a right to know how their data is being used and by whom, they have a right to recourse if they disagree/want that changed, and they have a right to know if there is a data breach or if their data is at risk.
How does GDPR work?
Obviously, just saying “Okay, consumers now have all these rights” doesn’t change anything.
Here’s how the law is actually structured and implemented.
First, some language.
In the parlance of GDPR, there are three groups you need to know about:
The data subject: this is the person or organization behind the data. Whatever real entity is being collected on.
The personal data/data record: this is the data that is being collected, bought, and sold by an organization. It’s the digital asset created by watching the data subject.
The data controller: this is the person/organization doing the collecting and controlling and protecting the data.
The way GDPR works is pretty simple.
It regulates organizations who control (data controllers who collect information from EU folks) or process (organizations that process/store data for controllers) as a way to drive better consumer outcomes.
Essentially, it regulates the people who ask/manage data and it regulates the organizations who actually handle it. For instance, if you’re a company using Google Analytics, you would be the controller (you run the website collecting data) and Google would be the one processing it.
Fines and penalties
This isn’t just a goodwill thing. There are strict fines and penalties for both controllers and processors who step out of line. Given our experience with how CASL came into effect, we don’t imagine that organizations will be charged in the short-term, but we will see these tools used by the EU in the long term. These fines can include up to 4% of annual global turnover.
To summarize GDPR:
GDPR is designed to replace a groaning patchwork of out of date, regional data protection laws with a single, simple framework that both data controllers and data processors must abide by.
GDPR has significant fines if either the controller or processor fails
It’s designed to protect consumers and make it easier to understand who has access to data, what they’re doing with it, removing your own data from systems, and being informed if there’s a data breach.
GDPR applies to all organizations and people who operate in the EU.
Part 2: What Canadian businesses need to do
You might be thinking “none of my current customers are in the EU, so I think I’m good!”
And you might be. But most businesses with a digital presence are likely to have some European visitors on their website, subscribing to newsletters, or buying their products.
Fortunately, getting and staying compliant with GDPR isn’t as tricky as is sounds, and is mostly work you should be doing anyway.
Please note: this isn’t legal advice, we are not lawyers, and this is not an exhaustive list.
Step 1: getting consent
Many Canadian businesses have already implemented the type of robust consent processes GDPR calls for because of Canada’s Anti-Spam Legislation (CASL) being strengthened a few years ago.
A big change in the CASL law for Canadian businesses was double opt-in, ‘can’t be pre-selected’ express consent.
The idea was that you couldn’t email a prospective customer or client without their express consent. Express consent essentially means a person has clearly and explicitly agreed (in writing or orally) to receive an email.
GDPR works a little the same way.
Active consent that is confirmed by the subject (rather than the passive consent that is seen in some current models, which use opt-outs or pre-ticked boxes)
Records of how and when consent was received
A way for people to ‘unsubscribe’ and withdraw their consent whenever they want
For the past two years, businesses should have been cleansing their lists and databases to ensure they are compliant with the new standards. If not, now is a good time to do it.
Going forward, if buying lists is still a part of your business development strategies, you need to narrow your search to non-European countries to minimize the risk of running afoul of GDPR.
A nice, easy way to do this is to review CASL guidelines and add a data field to your list where the level of consent is recorded. That way, you can track your list consent and apply marketing or communications campaigns based on the level of consent for maximum compliance.
If for some reason, your current consent process isn’t up to scratch for the GDPR rules, you’ll have to change it to comply with the new rules or stop collecting data by May 25.
Step 2: build processes for removing data subjects from your database/any databases you’ve shared it with
“You have to also remember that people can opt-in, but at any time they may reach out to you and say “hey, I didn’t know you’re sharing my data with company X, please stop doing that and make company X remove my data.” (source)
Consumer protection under GDPR doesn’t stop at a strong active consent process. Consumers have to actively opt in, but they can also opt out and request that you remove their data at any time.
The ‘right to erasure’ – which lets individuals request you remove their personal data – means businesses have to remove data subjects from your database (and any databases you’ve shared it with) within one month, if:
The data subject objects to their data being processed, or objects to the way their data is being used
The data was collected illegally
The purpose of data collection changes
The time limit for storing data is up
The data subject was a child at the time when it was collected
The ‘right to restrict processing’ also means that people can request you stop using their data for specific actions.
So now is the time to build up your processes and systems that allow for the fast and thorough removal of personal data from your databases. You’ll also need to be able to have the personal data you collect removed from any third party database or processor that you’ve shared it with.
In practice, this means doing an audit of your systems and databases to make sure they have the ability to delete data at an individual level. If your systems do not allow for this level of functionality, you’ll need to upgrade to new versions that do.
Next, you’ll want to set up some formal procedures and contracts with your data processors that ensure that your processors and any other third-parties also guarantee effective erasure of data.
In a recent poll of 1,200 employees from Germany, the UK, the US, and Australia, 75% of respondents said that they would be likely to exercise the right to erasure under the GDPR. So it will pay to have a robust process in place to deal with erasure requests.
Step 3: build a process to rectify
The ‘right to rectification’ gives individuals the right to correct their data if they think it is untruthful or inaccurate. If you’re a data controller and you receive a request like this, you’ll need to erase or correct inaccurate and incomplete data.
The goal is to make the process for correcting data a normal part of data management, rather than a ‘fire in the warehouse, all hands on deck’ sort of event.
To achieve this, you’ll want to build a process for keeping your data clean and up to date, so that updates and corrections can be done smoothly. You’ll also want to ensure you’re working with verifiable third parties, like Google and Facebook. Because they’re under much more scrutiny to be compliant than 99.9% of companies will ever be, they’ll have stronger procedures for processing corrections and fixing inaccurate data.
Step 4: prepare for a breach
If you suffer a data breach, the GDPR rules mean you need to notify affected customers within 72 hours. You need to work out a way to do that.
The 72 hour deadline is aggressive, and the GDPR uses the term ‘data breach’ pretty expansively. So you’ll need to build a fast and efficient process to send out a breach notification.
Here are a few of the key elements you’ll keep in mind while building your data breach process:
Define exactly what a breach is and communicate this to everyone in the company. To meet the 72 hour cut off you’ll need all hands on deck. So it is critical everyone understands and can identify a potential breach.
Update and document your internal breach notification procedures. Because data controllers and processors are now subject to a strict data breach notification rules, it’s important to be able to show you have a documented data breach procedure in place.
Develop a process for notifying data protection authorities. Along with notifying data subjects their data has been breached, GDPR requires you to notify appropriate authorities. You’ll need to provide data protection authorities with information on the number of data subjects and nature of records that are involved in the breach, a thorough description of the breach, and the measures you propose to take to deal with it.
Make sure your notifications to data subjects contain all the necessary information. GDPR requires businesses to provide:
Contact information for the Data Protection Officer or another point person
A description of the breach
The probable consequences of the breach for the data subject
The measures your business has taken to deal with the breach
Advice on how data subjects can protect themselves
Even for companies outside of the EU, GDPR has some consequences you need to keep in mind:
If you have any visitors to your site from GDPR countries, you’re on the hook for GDPR compliance.
Achieving and maintaining GDPR compliance has a few key components: you’ll need to ensure your consent processes are up to snuff; build strong procedures for erasing data and correcting inaccuracies so that you can respond effectively to the ‘right to erasure’, the ‘right to restrict processing’, and the ‘right to rectification; and prepare your business to respond to data breaches and notify customers quickly.
Complying with GDPR isn’t as difficult as it sounds, though. Many Canadian businesses will already be in compliance thanks to rules and regulations of our own – and the GDPR requirements are mostly things you should be doing anyway.