The European Union’s General Data Protection Regulation (GDPR) is a law aimed at protecting individuals’ personal data and privacy within Europe. While this law is most relevant to businesses within the EU, Canadian small businesses must still be aware of and adopt GDPR-compliant practices to avoid potential legal and financial repercussions.
What Is the GDPR?
The GDPR is designed to harmonize data privacy laws across the European Union. It protects and empowers all EU citizens’ data privacy and reshapes how organizations worldwide approach client data. The regulation was officially adopted in May 2016, but companies were granted a two-year post-adoption grace period to become compliant.
How Does It Affect Canadian Companies?
Even if your company is based in Canada, GDPR compliance is a must if you do business in the EU or hold data for citizens in the EU. Companies found not to be GDPR compliant run the risk of heavy fines of up to four percent of their global revenue.
5 Tips for Becoming GDPR Compliant
Ensuring your business complies with this law is essential and shows your clients that their data protection is a priority to you. Here are five tips to help become GDPR compliant:
1. Be Aware
Key decision-makers and stakeholders in your business must understand GDPR and take it seriously. You should document what client data you hold, where it came from, and who it’s shared with. The European Union has produced the following handy fact sheet that goes into more detail.
2. Check Your Procedures
Each company should review its internal privacy procedures to ensure compliance. This review should extend to how you will delete personal data or provide data electronically, if requested. It’s also recommended to review consent forms for EU residents and determine if any changes are necessary.
The GDPR covers the following data privacy rights for individuals:
- The right to be informed what data you hold
- The right to access data you hold
- The right to rectify any errors in data
- The right to erase any data you hold
- The right to restrict the processing of data
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making, including profiling
3. Ask for Consent
To use client data, there must be a positive opt-in from the client under GDPR. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It must also be separate from other terms and conditions. Businesses are also required to produce evidence of this consent if requested.
4. Data Breaches
Data breaches can impact businesses of any size. Your company is required to detect, report, and investigate any breaches involving personal data. If a breach poses a high risk of harm, such as identity theft, you must also notify the affected individuals directly.
5. Understand Differences in Canadian Law
Canadian consent laws have traditionally been more flexible than those found in GDPR. In Canada, most data collected by businesses are on an implied permission basis. Under GDPR, this isn’t enough.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) gives Canadians the right to know what information companies hold about them. The GDPR enables clients to obtain that information and download it for their own purposes.
Small Business BC is Here to Help
SBBC is a non-profit resource centre for BC-based small businesses. Whatever your idea of success is, we’re here to provide holistic support and resources at every step of the journey. Check out our range of business webinars, on-demand E-Learning Education, our Talk to an Expert Advisories, or browse our business articles.
