Actionable GDPR Compliance Advice For Canadian Businesses From Our Lawyers
“GDPR. It’s a 4-letter word that can make life difficult…we’re trying to make it easy for you.”
You’ve probably heard about some new legislation from the EU called the GDPR. It’s so new that a lot of businesses, companies and lawyers are still trying to figure out what it is, who’s responsible, and what complying with it means. Alphabet® decided to spare you hours of internet research and multiple headaches by consulting the experts and going directly to our lawyers at Momentum Business Law to understand what this means for Canadian businesses.
What is the GDPR?
The GDPR is the EU General Data Protection Regulation, and some are calling it the most important change in data privacy regulation in 20 years. It applies to any EU citizen or any citizen who is in the EU (like a travelling Canadian), and all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. So that means these rules still apply to citizens of the EU travelling to Canada.
Essentially, it applies to 99% of businesses and should be complied with by everyone. Now, that level of compliance is where things can get a little tricky, depending on your risk aversion.
PIPEDA vs GDPR
Because we live in Canada (btw, do you have a .CA?), many of the changes and policies in the GDPR are already covered under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
PIPEDA already governs how private sector organizations collect, use and disclose personal information in the course of commercial business. It became law in 2000, and interestingly enough, was intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. PIPEDA covers a lot of ground, but the biggest takeaways are that it requires organizations to:
- obtain consent when they collect, use or disclose their personal information;
- supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
- collect information by fair and lawful means; and
- have personal information policies that are clear, understandable and readily available.
But, even with PIPEDA, there are some gaps that need attention to ensure that you’re complying with GDPR, because you can definitely be sued if you’re not.
GDPR: TOP 3 TAKEAWAYS
There’s a lot of uproar around this legislation, specifically from countries with really relaxed privacy laws (we’re looking at you, USA). But really, there are only three things that Canadian businesses who are already following PIPEDA rules need to do to ensure that they’re following the GDPR rules.
1) COOKIES
If you’re using cookies on your website, you need to be clear and explicitly state to users that you’re doing so (so no hiding this in the footer), while including a direct link to your privacy policy. The folks at Momentum Business Law recommend using a cookie bar that appears when users land on your website. Depending on your company’s level of comfort with risks, you can choose one of the three options below.
The first two are best for very risk-averse companies as they do not allow a user to browse the website unless they have completed an action to agree to the use of cookies. The third option is what most companies are currently using, is less obstructive for users, and is less technically challenging.
- Requiring users to accept the terms by clicking an ‘Accept’ or ‘ok’ button;
- Requiring users to ‘X’ out of a pop-up box indicating the terms; or
- Stating to users that continued use of the website signals consent and of terms.
2) PRIVACY POLICY
If your website performs any sort of data-collection function, you now need to communicate to users if, how and why you are using data via things like cookies, Google Analytics, Facebook pixels, marketing automation software, etc.
3) RIGHT TO BE FORGOTTEN
Also known as Data Erasure, Right to Be Forgotten means that if you can identify a user in your data (like through a newsletter signup), you must delete their info if they request that you to do so. If you can’t identify a user (like through a Facebook retargeting pixel), we recommend providing them with clear instructions within your privacy policy on how they can delete their cookies and then be ‘removed’ from your list. Although this isn’t necessarily required under GDPR, it helps organizations be more helpful to website visitors and demonstrates a commitment to allowing users control over their personal data.
It’s important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
WHY THIS MATTERS
Under GDPR, organizations in breach of this legislation can be fined up to 4% of annual global turnover or €20 Million (whichever is more) – which is a pretty hefty price to pay for being able to sell someone socks on Facebook or something.
The information contained in this blog post is for general information purposes only and in no circumstance does this information constitute legal advice. We make no representation as to the accuracy, completeness, currentness, suitability or validity of any information in this blog post and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use. All information is provided on an as-is basis. This blog post includes information provided to us by third parties (including our lawyers) and that information may not have been vetted by us. You should consult with an attorney before you rely on this information.
Momentum Business Law’s team of experienced business lawyers are available to help, should you require legal advice. Contact them today by email at info@momentum.law or by phone at 613.592.3939.