Entrepreneurship & Small Business

GDPR implications for Canadian small business?

  • Last Updated:
  • Jun 10th, 2018 11:39 pm
[OP]
Deal Addict
Jul 3, 2017
3860 posts
2763 upvotes

GDPR implications for Canadian small business?

As you are probably aware from the flood of "Updating our privacy policy" email messages, the European Union has brought in new regulations potentially affecting companies worldwide that deal with EU residents.
https://www.ctvnews.ca/business/ready-o ... -1.3944795

I'm wondering if there are any implications for small business in Canada that may interact with EU citizens. For example our web site has a Contact Us form that sends us an email via our web host. The Contact Us form may contain personal ID information supplied by the user who fills it out. Email is not secure - it's not encoded and typically passes through a couple of intermediate servers. It may end up archived in our email files, and in some cases in a list of enquiries we have received that asked for future follow-up.

What responsibilities do we have, if any? We keep all of our corporate files secure from public access, to the extent that anyone can, but they are not necessarily encrypted on our servers. We can't do anything about the email chain, since much of it is out of our control, and I'm sure the email archive on every computer and laptop is not encrypted. In some cases employees traveling may be accessing their email through cloud services like Gmail too.

Has anyone looked into these issues?
13 replies
Newbie
Feb 16, 2016
31 posts
4 upvotes
I work for a large Payroll/HR company and we work with many international clients. I have seen a massive increase in our global solution sales due to GDPR exclusively.

We have some specialists who have studied GDPR inside out - but the fines can get hefty, quickly.

The good news is, they are saying legislators aren't prepared for it either.
[solicitation removed]
Newbie
Jul 10, 2012
14 posts
1 upvote
Toronto
Basically if you are touching a Eu citizen, GDPR applies to you. If you don't want to deal with GDPR, you will have to not have anything to do with a EU citizen.
Deal Addict
Sep 23, 2007
4839 posts
1013 upvotes
But from a practical standpoint how would I know I am dealing with a EU citizen? Like if the customer provides a Canadian address, I have no reason to even think about EU citizenship.
Sr. Member
Nov 12, 2014
774 posts
519 upvotes
Kingston, ON
BananaHunter wrote:
May 31st, 2018 2:51 am
But from a practical standpoint how would I know I am dealing with a EU citizen? Like if the customer provides a Canadian address, I have no reason to even think about EU citizenship.
You'll have to start asking every client, likely.
Deal Fanatic
Jun 17, 2013
5120 posts
1491 upvotes
Montreal
fernandodave wrote:
May 30th, 2018 10:02 pm
Basically if you are touching a Eu citizen, GDPR applies to you. If you don't want to deal with GDPR, you will have to not have anything to do with a EU citizen.
That is not correct and you are not allowed to do that.
Deal Fanatic
Jun 17, 2013
5120 posts
1491 upvotes
Montreal
BananaHunter wrote:
May 31st, 2018 2:51 am
But from a practical standpoint how would I know I am dealing with a EU citizen? Like if the customer provides a Canadian address, I have no reason to even think about EU citizenship.
Simply apply the law to everybody. that is the easiest.
Member
Oct 24, 2009
333 posts
70 upvotes
I may not have the in depth understanding of the scope of GDPR for Canadian businesses but there was recently a really good seminar hosted by a law firm in Toronto recently. My takeaways were that you are directly impacted by it if i) you have a presence in EU, ii) you offer goods/services to individuals in EU, and iii) if you monitor the behaviour of individuals in EU. You are indirectly impacted if you process personal data of individuals in EU for another company which is subjected to GDPR or if you are involved through international transfer arrangements.

When you say you interact with individuals in EU, does that mean you sell your products or services to them? There is a considerable overlap between GDPR and PIPEDA and as long as you are complying with PIPEDA you may be covered, except GDPR requires that individuals be given the right to have their information erased.
[OP]
Deal Addict
Jul 3, 2017
3860 posts
2763 upvotes
This is all very well, but what are the practical implications for Canadian small business? e.g., in the situation I outlined in the first post? What are we actually supposed to do that's new or different?
Sr. Member
Nov 12, 2014
774 posts
519 upvotes
Kingston, ON
Exp315 wrote:
May 31st, 2018 10:54 pm
This is all very well, but what are the practical implications for Canadian small business? e.g., in the situation I outlined in the first post? What are we actually supposed to do that's new or different?
Ask your lawyer.
Deal Fanatic
Jun 17, 2013
5120 posts
1491 upvotes
Montreal
Exp315 wrote:
May 31st, 2018 10:54 pm
This is all very well, but what are the practical implications for Canadian small business? e.g., in the situation I outlined in the first post? What are we actually supposed to do that's new or different?
What QN5252 said. People are paying good money to avoid issues. There is a reason for that.

In general, it is simple. Don't store what you don't need. Track what you store and why you store it. Let users know what you store and why. Have a business case for everything you store, if not, don't store it.
Be ready for if someone ask you what data you have on them.
Be ready to be able to delete any data if someone ask you too.
Make sure you give users options to opt-in/out and be clear about it.

That is all....
Deal Addict
May 12, 2014
2061 posts
1535 upvotes
Montreal
neverhaveiever wrote:
Jun 1st, 2018 9:21 am

In general, it is simple. Don't store what you don't need. Track what you store and why you store it. Let users know what you store and why. Have a business case for everything you store, if not, don't store it.
Be ready for if someone ask you what data you have on them.
Be ready to be able to delete any data if someone ask you too.
Make sure you give users options to opt-in/out and be clear about it.

That is all....
Sounds so easy in theory. Exceedingly difficult in practice.
That's the reason it's costing so much to comply, with no assurance that you won't be fined anyway.
Deal Fanatic
Jun 17, 2013
5120 posts
1491 upvotes
Montreal
FrancisBacon wrote:
Jun 2nd, 2018 5:31 am
Sounds so easy in theory. Exceedingly difficult in practice.
That's the reason it's costing so much to comply, with no assurance that you won't be fined anyway.
I know I made it sound easy, but you are right. In reality it is a cluster. the whole thing is a mess. It is not very clear and concise. If you do any interactions at all, you need to know the who, what, when, where, and why for every piece of data. If you are sitting on a multi-gb of bigger database that is spheghettied together...good luck.
Jr. Member
Oct 16, 2013
164 posts
13 upvotes
Toronto, ON
Yeah, I've had to do it (not a lawyer, but worked extensively with our legal team).

To your questions:-

If you don't need the personal ID info, then remove those fields from your contact form. One of the ideas behind GDPR is that you can't associate the information received with an identifiable natural person - Article 4(1).

The problem with personal ID collection is that a user has the right to request deletion of it (unless you had some legal reason not to do so). That would be a problem for your existing contact form.

So if you must collected personal ID, then one solution is to use something like Zendesk. Whenever someone fills out your contact form, a ticket is generated, and all that's sent via email is a notification (i.e. new ticket opened without the details of the message). If you ever had to delete, it would be relatively simple as opposed to an email with personal data that's landed in multiple inboxes. A zendesk-like solution, if SaaS, also takes care of other requirements such as backups, encryption, etc.

Regarding encryption, this is not a GDPR requirement, but it is mentioned a handful of times in the regulation. Rather, you just need to document the extent of precautions you've taken. For example, if there is no public access to the data, then that's a pretty tough argument to find fault with (from a regulator's perspective).

Top