For a business in Canada, it might seem odd to need to care about what goes on in the European Union (EU). While Canada is on great terms with the EU, the difference in continents means a lot. For one, Canada does not play to the same set of rules as the EU does. In one crucial area, though, Canadian businesses who do business in the EU or with EU citizens, though, will need to follow EU regulation. This comes in the form of the newly adapted General Data Protection Regulation, or GDPR.
So, why should you care about this as a Canadian business? On what grounds can a European data protection regulation impact on you?
What GDPR Means to a Canadian Company
These new regulations, which came into play in May 2018, change the face of data protection worldwide. If you have a company that does business in the EU or with someone who holds an EU passport (for one of the 28 member nations), then you must comply with EU data regulation laws.
Unless you are totally ignorant of modern news, you will have noticed data privacy is in the headlines. Companies across the world trusted with the data of millions have been found to have less than ethical tactics for how they use said data.
Naturally, this can have quite the impact on the business world. Customers are now far more alert about how they use their data, and tools like GDPR make it very easy indeed to make it easy for companies to be more scrupulous with how they use the data that they have on people.
With far more power in the hands of the consumer, GDPR changes mean that you will need to adapt to the following regulatory changes.
New Rights and Responsibilities
Among the biggest changes with GDPR is how you actually get to manage personal data. For example, GDPR provides the subject of your data with the following rights that they did not have before, including:
- The right to have all of their data provided to them in an easy to read and acceptable format.
- The right to be forgotten, and to be removed from your systems entirely to remove any data about the individual from your data systems.
- The right to see more information about how you process data, how you store your data and what kind of protection that you use to ensure the data is securely moved.
- The right to deliver clear instructions as to what information can be used, as well as when and where it can be used.
- The right to total transparency and to reject the use of their data for any kind of marketing purposes that they choose.
These rights will become a key part of their day-to-day usage of your business. It will also determine the way in which you can use any data taken about a customer, transforming the way in which your business manages personal data.
The first thing that you need to get your head around now is that all of your data will be heading off to the EU. Any controller or processor that does not hold a position within the EU geographically, but takes a role in working with EU citizens or businesses, will need to get an EU regulator to work for them.
You will need to have someone who can represent you in Europe. However, not every business will need to do this. Some, for example, will be able to get an exemption. If you do not carry out large scale data processing, or you are unlikely to have data which could put the person in question at risk in any way, then you might be able to avoid having to get EU representation.
Still, we recommend that you speak with a GDPR consultant as soon as you can.
Consent Must be Given
This is no longer the case. With GDPR, you now must automatically start with consent not being given, and you must clearly detail why you want their user data, detail what you will use said data for, and make it clear why this is beneficial to the individual.
Consent must be clear, it must be detailed and it must be as easy to revoke for the user as it is for them to sign-up in the first place.
Compliance is Essential
If you fall into the reasons above for making use of GDPR, then compliance is more or less essential. If you are not able to take part in GDPR, or you refuse, you will – eventually – receive a warning if you happen to keep falling foul of GDPR. You will have to make changes within a short space of time prior to being informed of a GDPR breach.
You will have to keep a register of any GDPR breaches, too. Should you have been found to have infringed upon the legal rights of your customers, then you could face a sanction as large as €20m in size. You could even undergo a private lawsuit, so it’s important that you take all the time that you can to fully comply with GDPR regulation.
However, you will often receive a verbal warning and a clearer, stricter warning if you breach GDPR regulation prior to being hit with any sanctions or fines. We recommend, though, that any Canadian business which worries about GDPR to take part in a GDPR consultation.
This will help you to quickly ascertain where you stand with regards to GDPR and if you need to make any changes to match up with it. Many small businesses will have no issues with GDPR but, if you are uncertain at all, you should look to have your business evaluated. Casino Pick have outlined in their infographic below steps and facts around GDPR which should help you in becoming compliant;