The GDPR, the General Data Protection Regulation, is all everyone has been talking about lately. Unfortunately, I have noticed quite a few myths about compliance to this law (not only in blog posts, but also in practice) and therefore thought it would be pertinent to properly address some of them. Here are 4 GDPR myths that need to be debunked for good.
Of course, please take this as legal information and not legal advice. If you have any questions regarding the GDPR or if you need help with compliance, send me an email at firstname.lastname@example.org.
#1 The GDPR only applies to businesses in the European Union
As easy as that would be, there is a reason why everyone has been talking about the GDPR. This regulation applies to all entities that collect personal data from European residents in order to sell them products, services, or to track their behavior. Unfortunately, with the way the internet is today (and with the very popular use of Google Analytics), this applies to most entities.
What is personal data you ask? Under the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
#2 I need to ask my mailing list to opt-in again in order for me to be able to send them emails
#3 If I’m already PIPEDA and CASL compliant, then I should also be GDPR compliant
While Canadian privacy laws share some common grounds with GDPR, they differ quite a bit. For instance, Canadian privacy laws still rely on implied consent if necessary, while explicit consent is one of the core concepts of the GDPR. PIPEDA also does not impose a minimum age to be able to give consent while the GDPPR sets it at 16 years old (although it can be modified by European member states to bring it down to 13).
The concept of data portability (meaning that if you ask an entity for your personal data, it must provide you with the information in a “structured, commonly used and machine-readable format”) is also absent from Canadian privacy laws. I could go on about the differences between the two laws. It is therefore essential to understand that being in compliance with Canadian laws does not mean in any way that you will be compliant with the GDPR.
While these are the most commonly addressed aspects of the GDPR, they are far from being the only ones. One of the most important parts about being GDPR compliant is documenting your compliance and having a very good understanding of how personal data travels in your business. If you are processing personal data, you need to know why you are doing it, on what legal basis you are allowing yourself to do so, and for how long you will be keeping that data.
Being GDPR compliant also involves reviewing your internal policies and making sure you have adequate security measures. If you work with sub-contractors and other business partners who will be handling the personal data you collect in any way (a hosting platform would be a good example), you also need to make sure they are GDPR compliant.
Remember that being GDPR compliant is a process, not a race. Take the time to do things properly, to have transparent and clear privacy policies, and to acquire a complete understanding of what you do with the data you collect.