The European Union’s General Data Protection Regulation (GDPR) and ePrivacy Regulation are now in full effect.
Click here for full PDF copy of the regulation.
The Canadian Marketing Association (CMA) has created and published a guide— CMA Guide to the European Union (EU)’s General Data Protection Regulation (GDPR) and ePrivacy Regulation— intended to provide an overview on general requirements, as well as insight on Canadian implications. It is only available to CMA members.
The guide includes eight key rights included in the GDPR:
- The right to be informed – Companies must include some form of privacy notice indicating how they use the personal data of their customers.
- The right of access – This continues the right of data subjects to access the personal data that organizations hold about them without incurring fees.
- The right to rectification – Customers will be entitled to have incorrect information rectified. Third parties must also be notified if this data has been disclosed to them.
- The right to erasure – The removal of personal data can be requested if there is no reason for its continued processing.
- The right to restrict processing – Customers will have the right to ‘block’ personal data processing. Companies can still store the data, but not process it.
- The right to data portability – This allows customers to transfer and use personal data across different services.
- The right to object – This allows customers to object to their data being processed.
- Automated decision making & profiling rights – Safeguards are provided against the risk that a potentially damaging decision is taken without human intervention.
The GDPR’s expanded extra-territorial reach means that marketers must consider how the full scope of the regulations could apply to Canadian organizations. The GDPR will apply to any organization, wherever located, that uses the personal information of EU residents to market products to, or “monitor the behaviour of,” such residents. This application extends to the processing of personal information whether within the EU or outside of it, by both data collectors and data processors.
“Canadians expect governments, marketers and consumers to work together to ensure that personal information is protected,” said John Wiltshire, CMA President and CEO. “To that end, the CMA is committed to establishing and ensuring best practices for marketers in Canada and has created the GDPR Guide as a resource to assist members with understanding and compliance of this new and far-reaching regulation.”
Many of the GDPR’s restrictions and requirements are consistent with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). And many Canadian organizations may already have policies and procedures in place that would be considered compliant. However, to ensure GDPR compliance, the CMA recommends the following:
- Determine whether GDPR applies to your organization.
- Obtain expert advice on the application of GDPR to your business activities, and what you may be required to do to comply.
- Protect your company’s most important data: ensure the sensitive data under your control is protected across devices, apps, and cloud services and on-premises environments.
Benefits also come along with the changes that GDPR will bring. Both consumers and businesses may witness the development of additional services as a result of the clearer, more consistent rules, which will likely lead to a greater sense of security, legal certainty and trust in the market.