Does GDPR apply to Canada?
Many Canadian companies are investigating the question: does GDPR apply to Canada and Canadian companies? While there are existing laws in place to facilitate the flow and exchange of information, including personal data, between groups based within the European Union (EU) and groups based in Canada, the introduction of the General Data Protection Regulation (GDPR) on May 25, 2018, will quite probably impact and change the current situation.
The Personal Information Protection and Electronic Documents Act, known as PIPEDA, is the name of the law that is currently in effect. The EU does not have an overly favorable view on PIPEDA’s ability to hold Canadian entities to the standards necessary to comply with the GDPR. In any case, no matter where they are based – be it Canada, Colombia, China, or Cyprus – entities that process or store personal data relating to people living within the EU will need to follow the rules laid down in the GDPR.
What Action do Canadian Companies Need to Take?
Companies based in Canada will need to review and take stock of the information they have relating to individuals in EU countries. They will need to be able to show a full chain of custody of the data – from the entity that gathered it and the people who have or who are able to access it, to the facility and systems being used to store or process it. Importantly, they must be able to give individuals access to their own data and be able to grant an individual’s “right to be forgotten” in certain cases. The first thing to do is to perform an in-depth audit which can identify the data covered by the GDPR. Organizations can then identify and structure the procedures used to store and process this data to be in line with the GDPR standards.
Should entities based in Canada continue to operate as before or be found to be-non compliant with the GDPR, they leave themselves open to a range of penalties. At least two tiers of sanctions are to be implemented, with the maximum fine in the upper tier reaching to either €20 million or 4% of total global turnover, whichever is higher. As these are significant amounts and breaches of data can cause immense damage to both institutions and individuals, it should be obvious that compliance is the smarter, cheaper, and more efficient choice.
Regulations on Retaining Customer Data
GDPR does not just apply to administrative services or data analytics companies; brick-and-mortar retailers and high street shops are also concerned. Should their procedures be found in violation of GDPR standards, these shops may find themselves liable to the same kind of fines as mentioned above.
As almost every shop engages in some type of marketing behavior and communication to existing and potential clients, which may be something as simple as a mailing list containing names and addresses, they could find themselves with difficulties if the proper procedures and methods have not been or are not being followed i.e. ensuring consent has been given, facilitating deletion of a customer’s information, etc.
Specific Purposes and Limited Uses of Customer Information
Where an organization has requested data from a customer for a specific purpose and the client has provided the data for this reason, the organization cannot use this data for any reason outside the specified purpose under GDPR. Once this purpose has been accomplished, the data must be deleted. An example of this may be if a client shares an email address and agrees to receive a survey. Once the survey has been sent, the email address must be deleted from the business’ database unless the customer also provided consent for the email address to be used for other purposes.
Creating Customer Profiles
Should retailers engage in the creation of customer profiles through the aggregation of buying habits, they may be required to seek permission from the individual to remain compliant with GDPR. The GDPR requires individual consent in cases where there may be a “legal effect” from profiling. A limited discount offered solely to certain profiles may count as such a legal effect. If this type of advantage or similar pricing decisions are not being made based on profiles, retailers are still obliged to inform customers that they are monitoring purchasing behavior.
Retailers and companies should all be fully aware of their duties to customers and individuals under GDPR if they wish to avoid the potentially crippling penalties associated with violating the rules.