Canadian businesses don’t have to worry about Europe’s new General Data Projection Regulation (GDPR), right?
Well, the answer to that is—it depends.
I know, you might still be wrapping your head around the Canadian Anti Spam Legislation (CASL) and now you need to worry about GDPR. It is almost enough to drive small business owners offline. But that is not the solution, and being CASL and GDPR compliant may not be as difficult as you think.
First, what is GDPR
The GDPR (General Data Protection Regulation) is a new European Union Regulation, which will replace the 1995 EU Data Protection Directive (DPD). It is said the GDPR will significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will officially be enforced starting May 25, 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Does GDPR apply to you?
While the legislation governs entities within the EU the scope and reach of the GDPR extend past geographical territories. If you market your products or services to citizens and residents of the EU or collect/monitor their behaviour on your website, then it applies to you. Here are a few examples of when it may apply:
- You have a blog that allows visitors from anywhere in the world (including in the EU) to register blog notifications
- Your business-to-business company markets and sell products (or services) to businesses and/or individuals in the EU
- You own a bed and breakfast that accepts bookings from visitors from anywhere in the world ( including in the EU)
- You are an Etsy seller, or a brick and mortar retail store with an online shopping cart, and sell and ship your products to individuals in the EU
So now what?
So as you can see, GDPR regulations can apply to many Canadian businesses. And the requirements for GDPR are specific around content, privacy and security of personal data, access to data, as well as internal procedures your company should have.
While it is a very good idea to see advice and legal guidance, it is very likely if you are using sales and marketing systems from industry leaders you already have everything you need to be compliant and simply need to chance some processes and policies.
If the systems you use to collect visitor and customer data (website, CRM, shopping cart, inbound marketing, email marketing, and marketing automation) are leaders in their industry it is likely they are already developing processes and putting in protections to address their customer’s concerns about GDPR compliance. Here are a few industry leaders who are doing just that.
- HubSpot has general GDPR information available for their customers (https://www.hubspot.com/data-privacy/gdpr) and has created a checklist to help you assess if you are ready for GDPR. (https://www.hubspot.com/data-privacy/gdpr-checklist)
- SurveyMonkey has pledged their commitment to DPR compliance (https://www.surveymonkey.com/curiosity/surveymonkey-committed-to-gdpr-compliance)
- Shopify has several articles about getting ready for GDPR (https://www.shopify.ca/blog/gdpr-and-ecommerce)
We highly recommend you speak with your legal counsel so that they can tell you how the law may apply to your specific circumstances.
Disclaimer: This blog is not intended to be used as legal advice for your company to use in complying with EU data privacy laws like the GDPR, nor can we guarantee the absolute accuracy of the information shared in this blog or on the pages linked to in this blog. We insist you consult an attorney if you would like advice on your interpretation of the GDPR. Do not rely on this blog as legal advice, nor as a recommendation of any particular legal understanding.