GDPR Compliance in Canada.

This article applies not only to Marketing, but IT, Operations, Sales, even HR need to understand GDPR Compliance in Canada and Data Privacy Compliance to mitigate risk.

I am no privacy expert, however, as a Director of Global Campaigns, I have consulted with corporate legal counsel on compliance around GDPR Compliance in Canada and navigated the laws of many EU countries. As a data-driven marketing consultant, I too often see loose permission, no privacy policy or companies distributing customer data to external vendors. 

By not taking action on compliance, your brand reputation may be at risk. It’s imperative that companies are up to date on compliance and have done their due diligence in protecting the rights of individuals’ email, or other sensitive data. 

Attention marketers & business owners! Are you GDPR, CASL, or PIPEDA Compliant?

In today’s digitally data-driven world, most marketing individuals or departments collect data. If you perform any digital advertising, you need to confirm that your client has compliance built into their data collection system. Additionally, you need to ensure that data is secure when traveling from system to system.

45% of companies lack data governance.
Source: Microsoft Canada’s Small & Medium Business Blog

Digital marketers recognize how valuable data is and the importance of privacy law compliance. Compliance is needed to meet customer expectations around data privacy and to reduce the risk of data being stolen or obtained by nefarious individuals. In January 2019, Canadian privacy law on collecting personal information was updated by the Office of Privacy Commissioner of Canada, with seven guiding principles for online consent.  

I recently took a GDRP online course through LinkedIn to help lower the risk factors for my clients. My aim was to leverage site visitor traffic data to remarket, email and make stronger connections with visitors for a more relevant and meaningful experience.

What is GDPR compliance?

GDPR stands for General Data and Privacy Regulations, which refers to data privacy laws protecting user’s data.

GDPR requires all companies gathering visitor and user data to seek, obtain, and record explicit consent.

Data privacy isn’t going away. Organizations need to understand that they are responsible for implementing clear communications on how they intend to use, save, and store customer and site visitor data.

Global Privacy Map

Source:  World Federation of Advertisers.


Who’s liable? How does compliance in Canada impact businesses?

If your website collects data, and you are unsure of the correct steps to protect that data, you may be at risk of not adhering to regulations. 

  • GDPR can be enforced against ANY organization, ANYWHERE
  • GDPR is a Global Standard for Privacy – Global Privacy Map
  • If any EU citizen can access your website and you don’t show a cookie notification, but have trackers enabled on the site, you could be fined.

How to secure consent

Updating your website’s Terms and Conditions is not enough. You cannot assume a visitor will click into a page on your website before they submit a form to register or subscribe. You must implement explicit consent.

The law defines two types of consent. Implied consent and express. Most marketing requires express consent, a record of permission to receive specific messages.

You must do these:

  • Obtain consent that you are storing and providing personal data
  • Provide the user the ability to access, edit or remove personal data without delay
  • Provide the user the right to stop processing their information
  • Provide access to update your user data of any breaches within 72 hours 
  • Ensure your website has up to date and accurate Terms and Conditions and a Privacy Policy

You Should Do these:

  • Design with data privacy in mind
  • Collect and process personal data with consent to comply with GDPR and explicit consent for all usage
  • Use clear and plain language on your website forms
  • Get consent again every time you do something new
  • Provide repeated ways to withdraw consent
  • Legitimize interest in asking for the data

Does all data apply to GDPR?

Personal Data is broadly defined. PII is defined as Personal Identifiable Information. It is any data that could be mapped back to a specific person. In 2014 Canada’s anti-spam law (CASL) was introduced, which has been amended to include Personal Information Protection and Electronic Documents Act (PIPEDA), which covers the collection, use, and disclosure of personal information. 

Examples of PII are:

  • Name
  • Phone number
  • Email address
  • Address
  • Credit Card
  • Customer Number
  • Tracking ID
  • Cookies
  • Behaviour data

Examples of Anonymous Data are:

  • Gender, Title, Industry


GDPR readiness

The first step towards compliance is classifying the collected data:

  • Is it personal data?
  • Is it first person, second person or third-party data?
  • Where does the data get stored?

The second type of data is information that could be used to de-anonymize anonymous data.  

Lastly, examples of PII data are when you collect and save data like employee, application or resume data. For more details on types of data check out this article.

In order to be compliant, encrypting your data is the safest bet. Seek out ways to implement this.

Next, consider the following:

  • Using a pop-up window asking to ‘Accept’ or ‘Decline’ on your site
  • Self-service member data to modify consent and withdraw it

Also inform your team that any data breach must be reported within 72 hours.

GDPR glossary: Terms & roles

Data subject (DSRs)

Processing of personal data of data subjects in EU. This is legally required from any company that has a website that collects user data.

 Data controller

The entity that determines the process and means of processing personal data.

  • First party data is what you collect
  • Second-party data is through partnerships, like list exchanging from a webinar sponsor
  • Third party data is purchased from a vendor, so if you buy it you’re responsible for it

Data processor

The entity that receives, collects, transmits or uses personal data in any way on behalf of any data controller. This includes Mailchimp (emails), Salesforce (email, location), and any external processing systems with access to analyze your data.

Basic GDPR checklist:

  • Acquisition
    • Information map identifying sources of data – internal, external such as GA, SF
    • Is explicit compliant consent part of the current process? Yes or No?
    • Do you know where the consent record is stored?
    • Can you access, change or remove it? Or can the User?
  • Usage
    • Do you clearly explain what you will do with this data?
  • Sharing
    • Will the data move outside of the organization at any time?
    • Do you share it with vendors, partners, external contractors?
  • Life Span
    • How long will you store the data? 

Develop your own Data Compliance Checklist for internal use and to demonstrate compliance. This will help you audit your organization and your vendors.

About CASL

CASL is Canada’s anti-spam legislation which protects digital consumers from misuse and from being spammed by businesses. ‘CASL has caused companies to be more disciplined in managing their electronic marketing programs,’ according to the Canadian government website

Tips for GDPR compliance for marketers

  • Don’t collect data you don’t intend to use or need
  • Continue to educate and learn how to uncover risk
  • Seek legal expertise on non-compliance liabilities
  • Design data collection processes and systems with compliance in mind
  • Implement safeguards for compliant data collection, usage, and storage procedures

Here is a great example of a company, happify, that has embraced their commitment to GDRP compliance and taken the time to leave a positive brand impression on site visitors and customers.

Avoid legal action and unnecessary fines that will tarnish your brand. Get more compliance tips from CRTC, take a quick read through this Privacy Commissioner of Canada Guide for Businesses doing e-marketing, and take the Linkedin Learning Course here.

If you need help understanding your digital information I provide Digital Audits.

***Please note that this blog article is intended as a general overview of the subject and cannot be regarded as legal advice.