The GDPR, the General Data Protection Regulation, is all everyone has been talking about lately. Unfortunately, I have noticed quite a few myths about compliance to this law (not only in blog posts, but also in practice) and therefore thought it would be pertinent to properly address some of them. Here are 4 GDPR myths that need to be debunked for good.
Of course, please take this as legal information and not legal advice. If you have any questions regarding the GDPR or if you need help with compliance, send me an email at info@artylaw.ca.
#1 The GDPR only applies to businesses in the European Union
As easy as that would be, there is a reason why everyone has been talking about the GDPR. This regulation applies to all entities that collect personal data from European residents in order to sell them products, services, or to track their behavior. Unfortunately, with the way the internet is today (and with the very popular use of Google Analytics), this applies to most entities.
What is personal data you ask? Under the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
#2 I need to ask my mailing list to opt-in again in order for me to be able to send them emails
This myth is very unfortunate as quite a few companies have acted on it and have therefore lost a good portion of their mailing list. If you have already gotten consent from your newsletter subscribers (which is something you should absolutely be keeping track of and documenting), you do not need to ask for it again. If you haven’t asked them for their consent prior to putting them on your mailing list, contacting them to ask for their consent would be illegal. Yes, letting your subscribers know about your new privacy policy is absolutely fine, but do not fall into the reopt-in trap. This myth only stems from a misunderstanding of the law.
#3 If I’m already PIPEDA and CASL compliant, then I should also be GDPR compliant
While Canadian privacy laws share some common grounds with GDPR, they differ quite a bit. For instance, Canadian privacy laws still rely on implied consent if necessary, while explicit consent is one of the core concepts of the GDPR. PIPEDA also does not impose a minimum age to be able to give consent while the GDPPR sets it at 16 years old (although it can be modified by European member states to bring it down to 13).
The concept of data portability (meaning that if you ask an entity for your personal data, it must provide you with the information in a “structured, commonly used and machine-readable format”) is also absent from Canadian privacy laws. I could go on about the differences between the two laws. It is therefore essential to understand that being in compliance with Canadian laws does not mean in any way that you will be compliant with the GDPR.
#4 Having a privacy policy, cookies policy and GDPR compliant forms is enough to be fully compliant with the law
While these are the most commonly addressed aspects of the GDPR, they are far from being the only ones. One of the most important parts about being GDPR compliant is documenting your compliance and having a very good understanding of how personal data travels in your business. If you are processing personal data, you need to know why you are doing it, on what legal basis you are allowing yourself to do so, and for how long you will be keeping that data.
Being GDPR compliant also involves reviewing your internal policies and making sure you have adequate security measures. If you work with sub-contractors and other business partners who will be handling the personal data you collect in any way (a hosting platform would be a good example), you also need to make sure they are GDPR compliant.
Remember that being GDPR compliant is a process, not a race. Take the time to do things properly, to have transparent and clear privacy policies, and to acquire a complete understanding of what you do with the data you collect.
If you need any help on the road to being GDPR compliant, do not hesitate to contact me whether you need someone to draft/review your privacy policy, do a full GDPR audit on your business or simply get some cues about compliance. You can always reach me at info@artylaw.ca or you can click the link below to schedule a consultation.
