Is Canada Covered by GDPR?

A lot of Canadian businesses want to know if GDPR is applicable to Canada and Canadian businesses. Although existing laws already regulate the transmission and exchange of information, which includes personal information, between organizations located in the European Union (EU) and organizations located in Canada, the General Data Protection Regulation (GDPR), which was introduced on May 25, 2018, will very likely affect and alter current policies and procedures.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a law that is currently enforced in Canada. Regardless of the requirements of PIPEDA, Canadian companies still need to follow the rules of the GDPR if they are storing or processing the personal information of people residing in the EU.

What Should Canadian Companies Do?

Organizations based in Canada should make an inventory of the records they have of people living in EU countries. They must be able to show how data are collected, how information is used and processed, where information is stored and how it is protected. They must also be capable of giving individuals access to their personal data and granting their “right to be forgotten.” The very first thing that needs to be done is an exhaustive audit to identify all data covered by the GDPR. Only then can organizations create a framework of policies and procedures that is compliant with GDPR standards.

Can Canadian entities continue to do business as before? If a business is found to be non-compliant with the GDPR, it might face significant penalties. There are two tiers of penalties that can be applied for GDPR violations. The maximum penalty in the upper tier is €20 million or 4% of global annual turnover, whichever amount is higher. With such significant penalty amounts, the smarter and cheaper choice for companies is compliance.

Rules on Retaining Customer Information

GDPR applies to companies that offer administrative services and data analytics. It also applies to brick-and-mortar shops and high street stores. If the procedures of a shop violate GDPR standards, it may be liable for fines.

Almost all shops do some form of communication and marketing to current and prospective clients. For example, building a mailing list of customers’ names and addresses would require proper procedures, which include getting the customers’ consent and assisting in the removal of a customer’s data on request. If the right procedures are not followed, the shop may end up in big trouble.

Specific Purposes and Limited Uses of Customer Data

Whenever an organization makes a request to collect data from a consumer, it is necessary to state the specific purposes why data is required and how that information will be used. An organization is then limited to using the data for those particular purposes under GDPR. As soon as the purpose is achieved, the organization must dispose of the data securely. For example, a client supplies his email address in order to receive a survey he agreed to answer. After the survey is over, the company should delete the client’s email address from its database unless the client has also agreed that the company can use the email address for other purposes.

Making Customer Profiles

If vendors create customer profiles through the collection of data, the company must obtain prior consent to be GDPR compliant. In instances where profiling has a “legal effect”, consent of each customer is required under the GDPR.

All companies need to be aware of their responsibilities to consumers under the GDPR to avoid the penalties for GDPR violations.