Hey Canadian Businesses: have you heard about the GDPR?

If you owned, or were in management of a Canadian Business in 2015 you will remember the “joy” that was the introduction of the Canadian Anti-Spam Legislation (CASL).  CASL requires businesses to have the consent of those who they email, a record of the consent and a way for people to remove their consent.

Fines under CASL can be high:  up to $ 10 million for Corporations, $ 1 million for individuals.  So far $ 1.1 million is the highest fine that has been levied against a Canadian business.

So.  Loyal Blog reader – is your spam mail lighter because of CASL?  Mine isn’t.  I’m still getting emails that include viruses, threats against me if I don’t click on links and offers for a lot of behaviours I have no interest in (I’m not judging, just reporting).

Many wondered in 2015, why is CASL a thing?  Well, part of the answer is the EU required Canada to toughen up its electronic data laws or face trade sanctions in the future.

Starting this Friday, the EU has upped its’ game – on May 25 the General Data Protection Regulation (GDPR) comes into effect and it applies to Canadians who collect, store and/or process data of EU citizens.  The fine for non-compliance is twenty-million Euros or 4% of world wide profits, which ever is more.

Lovely.  So, now the EU is not forcing Canada to draft laws, its’ simply imposing laws on us.  Seems fair, right? (that was sarcasm)

Data, under the GDPR  includes name, address, email address, social media posts, photos & IP addresses.  This could include information that is typed into a search engine on your website accidentally.  This will include the information of an EU summer intern you’re hiring (or already hired).

So.  What do you need to do to comply?  You need to have a GDPR policy (if this reminds you of CASL, you’re right) that identifies the data and sets out how you will address requests for the data to be removed.

Data removal can be very difficult (and potentially expensive) if bundled with more than one source of the data and the GDPR only lets you charge for the request if it is “manifestly unreasonable”.

The GDPR is far more complicated than CASL – you really need a lawyer to help you navigate through this one.

If your business has an online presence, you likely need to deal with the GDPR, if only to cover yourself for people accidentally (or maliciously) providing you with their EU personal data.   Small online retailers (think local flower shops, food delivery services and other small delivery businesses) who accept orders from the EU are impacted.

We’ve been helping many of our clients get GDPR compliant.  We work hard to make the solution meet the business risk of each client and they are all unique.  Concerned?  We’re here to help.

Inga B. Andriessen JD