What Canadian brands need to know about the GDPR

How brands manage their users’ privacy is about to undergo a seismic shift.

The General Data Protection Regulation (GDPR), a new piece of European Union legislation, is set to take effect on May 25, 2018.

It will radically alter the responsibilities companies have for collecting, storing and protecting their customers’ data.

The GDPR’s impact will be far-reaching – both in Europe and around the world.

In this post we’ll look at what Canadian brands need to know to get ready for the GDPR.

What is the GDPR

The GDPR is a new piece of legislation aimed at protecting the privacy and data of EU citizens.

It will radically expand companies’ legal requirements for using audiences’ data collection and storage.

Businesses will now need to explain to users, in plain language, exactly what they are collecting their data for when they receive their consent.

They’ll also need to re-gain consent if they plan to use their data for other purposes at any time. Then, if the person wants their data deleted or changed, it will be up to the company to honour those requests.

Finally, the GDPR places limits on what the company can do with transferring the data to third parties.

The penalties for non-compliance?


Companies can receive fines of up to four per cent of annual revenue or €20 million (around $31 million CAD) – whichever is greater.

The most terrifying part of the GDPR?

How few professionals are even aware of its existence.

A February 2018 survey from HubSpot shows just 36 per cent of marketing and business leaders had even heard of GDPR.

What Canadian companies need to know about the GDPR

The GDPR is clearly going to change the game on privacy.

Here’s how Canadian companies can prepare.

It even applies to companies outside the EU

Don’t do business in the EU?

The GDPR will still impact you.

Just as Canada’s privacy legislation applies to any business that collects data from Canadians, so too will the GDPR apply to any company that collects or stores data from an EU citizen.

Consider the following everyday marketing activities:

  • Placing cookies and remarketing tags on websites
  • Communicating with customers (for instance: A monthly newsletter)
  • Collecting e-mail addresses and contact info

Anyone in the world can perform these activities on your site from anywhere, including the EU.

That means you’ll need to respect and comply with the GDPR – regardless of where you operate.

Consent is King

One thread running through the changes to the GDPR is the notion of consent.

You need to get permission from users at every stage of the customer journey.

This includes:

  • When you are collecting data in the first place
  • When you are changing how you will use their data
  • When you are sending your users’ data to a third party
  • When your customers ask you to delete or alter your data

With the GDPR it’s best to err on the side of too much – rather than not enough – consent.

You need to know what data you are storing

It’s not enough to change you how collect data.

You also need to pay attention to the user data you already own.

A big part of the GDPR revolves around data protection.

That means your company is responsible for providing security for the information it has. Data encryption and anonymization will be some of the tactics that will need to be used.

Another big part of the legislation is showing you are compliant.

That means you’ll also need to, for example, show that you’ve obtained consent of the people from whom you collected information.

CASL compliance isn’t sufficient

Companies that went through the process of complying with the Canadian Anti-Spam Law (CASL) a few years ago will be off to a good start with the GDPR.

But it won’t be enough.

CASL has been in effect since 2016. Companies had to go to great lengths – such as through obtaining explicit permission from everyone on their email lists – to comply.

But GDPR is more stringent in some places.

For example: Under CASL, there are no restrictions on the age someone must be to consent. With GDPR, parents need to provide consent to anyone 16 and under.

There are also differences in general consent and opt-out duration.

Protecting the data you collect is on you

Do you share customer data with or use data from third parties?

Then you’d better listen up.

You’re not allowed to share the data you collect with other organizations – unless you’ve obtained their explicit permission to do so.

That means you need to get consent either:

  1. When you collect the data in the first place; or
  2. After you’ve collected the data but before you decide to change how you’re going to use it.

Once that data has been shared, it’s on you to ensure that the third party abides by the original terms of the agreement.

That means, for example, that a third-party vendor can’t use the data in ways for which the user didn’t provide explicit consent.

The same thing applies if you’re using data from a third party, as you’ll need to ensure that data also complies with the GDPR.

The GDPR and Canada

The times they are a-changin’ when it comes to user privacy.

Increasingly, governments are drafting legislation to protect audiences.

It’s not just the GDPR either.

Users are more aware of how their data is used than ever before.

Canadian marketers need to be aware not just about the law, but about what their customers want regarding user privacy.

Mark Brownlee is a Digital Marketing Strategist at Banfield.

Share this article