Does GDPR Apply to Canadian Companies?

Currently the Personal Information Protection and Electronic Documents Act (PIPEDA) is in place, to ensure the free flowing of personal data from companies within the EU to companies in Canada and vice versa. It is likely that there will be changes to the PIPEDA once the General Data Protection Regulation (GDPR) comes into operation, in May 2018.

The reason why changes are likely is that currently the PIPEDA only has an adequate rating from the EU as to whether it ensures that Canadian companies will adhere to the stricter data protection rules included in GDPR. The one certain thing is that companies will have to comply with the requirements of GDPR if they want to continue transferring the personal data of individuals from and to companies within the EU. They will also need to protect the personal data of all customers who live within the EU, according to GDPR requirements.

What Companies Need To Do

Canadian companies need to ascertain what data they are holding, in respect of customers from within the EU. One thing that they need to bear in mind is that they have to be able to report on where and how they hold the data, who who collected it, and who can access it. They also need to be able to provide access to the data to individuals, and comply with an individual’s right to be forgotten, where applicable. All of this means that Canadian companies need to audit and organise their data processing, in accordance with the requirements of GDPR.

Failure to take action could lead to companies in Canada facing sanctions, if they do not comply with the GDPR. The full range of sanctions have yet to be defined, but they include fines of up to $20 million euro or 4% of annual turnover. No company wants to be hit with this sort of severe penalty, so compliance is a necessity.

GDPR Rules for Retailers Keeping Customer Data

High street retailers will need to pay careful attention when the General Data Protection Regulation (GDPR), comes into force. They will need to ensure that their current processes comply with GDPR requirements, or face strict, and potentially costly, sanctions.

All retailers use marketing measures to retain current customers, and attract new ones. This is where they could experience problems, if they do not give careful consideration to their actions.

Using customer information for a specific purpose

Any retailer who requests information from a customer for a specific purpose, can only use the information for that purpose, and must delete the information from its records afterwards, according to GDPR. For instance, an email provided so that a customer service questionnaire can be issued, following a store visit, should only be used for that purpose; unless consent is provided to send future promotional materials to the email address.

Profiling customers

If a retailer profiles a customer, using methods such as online purchase history, they may need to obtain individual consent to do so, according to GDPR. Individual consent is only required if there is a “legal effect” to the profiling. This may include the offer of certain reductions to people who are profiled in a certain way. If there is no such effect, a retailer only needs to inform customers that it’s looking at their buying behavior.

These are two specific aspects of GDPR that retailers need to have regard for, if they want to avoid the possibility of being fined, for non-compliance.