CRM & GDPR: What the “GDPR” Means for Canadian Businesses

The General Data Protection Regulation is a control measure that will come into effect May 25 2018 and regulates the collection of data for European residents.

However, these new regulations don’t just affect companies in Europe.  In fact, the GDPR will affect any business that processes the personal data of European residents.  Canadian businesses that possess data on European residents must also follow the new legislation.

“Data processing” refers to the collection, access, storage, handling, viewing and destruction of data.  So a business that uses a third-party to collect and store data is still affected to the extent that it remotely views the results.

Businesses that violate the GDPR can be subject to two fine scales. The first is a substantial fine of up to 10 million euros or 2% of the company’s yearly global revenue, whichever is higher.  The second, which can be an even more substantial fine, can reach up to 20 million euros or 4% of the company’s yearly global revenue, a serious repercussion for not following the regulation.

The key principles of this new law are relatively simple:

  • Consent
  • Transparency
  • Consumer rights
  • Responsibility

The principle of consent
will be reinforced by the GDPR. Starting May 25 2018, the consumer’s consent to having their data be collected must be positive and explicit.  In addition, businesses must be able to prove this consent.

When it comes to B2B businesses, receiving consent is not required if the intention of the collection is kept.

For cookies, the reason for the cookies must be listed as well as the user’s right to deny the cookies.

The principle of transparency simply means that businesses must provide express and clear consent on the how their consumers’ data will be used.  This information must be given unambiguously and be accessible for everybody.

Consumer rights cover all the new rights European citizens will be granted by the GDPR.

First, European residents will be able to access information collected on them.  If they make a request, the company has one month at max to respond to and satisfy this request.

The users’ right to be forgotten will be also improved. In fact, companies will now have up to one month instead of two to delete data on a consumer when they make such a request.  Every replication of the data must also be deleted.

A new law will also become effective, and this one concerns the portability of information.  A consumer will be able to receive information they provided in an easily reusable format for the purpose of transferring it to a third party.

The last principle is Responsibility. As we can see from the recent Facebook scandal, a company must document their security measures for protecting data and reinforce these methods in order to prevent intrusions.

In addition, businesses affected by the GDPR must notify the relevant regulation body within 72 hours in the event of a security failure.  Physical people must be notified “as soon as possible”.


In Canada, with the PIPEDA (Personal Information Protection and Electronic Documents Act), which has existed since 2004, Canadian companies will be familiar with a good number of the protection measures contained in the GDPR, so the adopting this law won’t be a big deal for the most part.  Some companies, on the other hand, will have to designate a resource (Data Protection Officer) when they handle sensitive data or handle data on a large scale.  For most, a simple overview of the new regulations should quickly indicate what your company should do to comply with RGDP.

Additionally, if you are found guilty of not complying with the GDPR, an audit could help prove that you have taken significant measures to protect your data.  If you receive a fine, you could have it reduced. Keeping track of the implementation of confidentiality measures will validate this point and help you stand out from companies that have not taken any measures to comply.


If you have questions about the GDPR or the PIPEDA, feel free to contact us using the form or address on the following page:  Contact us


Editor’s note: This blogpost has been inspired by our partner SugarCRM