I don’t know about you, but I’m getting pretty sick and tired of receiving GDPR emails. My inbox has been flooded. But it got me thinking: Are we GDPR compliant if we’re CASL compliant?
The simple answer is no. But odds are if you’re GDPR compliant, your CEMs (Commercial Electronic Messages) are CASL compliant as well. But CEMs are just one element of GDPR.
In short, CASL governs only CEMs, while GDPR governs data security and protection.
What is GDPR?
On May 25th, 2018 the EU enforced the General Data Protection Regulation, better known as the GDPR. The new regulation will not only limit what companies can do with your data but also give you more control on how your data is collected and used. Should a company want to use your data, under GDPR, they must provide a justifiable reason.
Here in the Great North, we have to comply with the Canadian Anti-SPAM legislation, or CASL for short, which means we’ve already taken the steps to provide clients with complete, positive consent to opt-in (or out!) of our electronic communications.
Feeling overwhelmed? Here’s our comparative guide to GDPR and CASL compliant CEMs, along with useful information to reach GDPR compliance.
Who Does GDPR and CASL Apply To?
The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data while a processor is responsible for processing personal data on behalf of a controller. Although the law only applies in the EU, any organisation located outside of the EU that offers goods or services to, or monitors the behaviour of EU data subjects will need to be GDPR compliant.
In contrast, CASL applies to anyone who is sending out Commercial electronic messages (CEMs). For more info on CASL, check out our King of the CASL blog post!
What Information Does GDPR & CASL Apply to?
Both the GDPR and CASL apply to the protection of personal data, as well as the consent of individuals to provide their data. Where GDPR extends further, is that it also applies to the monitoring of this data along with the processing related to offering goods and services.
What is Personal Data?
According to the GDPR, personal data is “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
This includes, but is not limited to: names, ID numbers, location data, online identifiers, racial or ethnic origin (labeled as sensitive data) as well as special “categories” such as genetic and biometric data. Criminal data does not fall under GDPR as they are governed by other authorities.
How Does GDPR Impact My Current Data?
To comply with GDPR, you must be able to prove that all data subjects in your databases have given consent, whether it be expressed or implied (within 24 months for implied consent). You will also need to prove a lawful basis for collecting and storing said data, as well as have measures put in please should you suffer a data breach.
You will need to audit and examine your existing databases and clean them up to ensure there are only consenting subjects, and that you can prove when and how they consented.
To avoid penalization, consider this golden rule: if you’re sceptical about certain data, delete it.
If you are currently CASL compliant, you’ve already gone through a similar process of cleaning your databases, which means auditing your databases won’t be too much of a hassle.
What Do I Need to Achieve Consent?
Under the GDPR, consent is only one of six ways (or lawful bases as per the GDPR) in which you can collect and process data. As we are mainly dealing with marketing communications, there isn’t really any other legal basis to fall under, unless your company is a public authority.
Fortunately, for us CASL complying Canucks, the lawful basis of consent requires similar elements as CASL.
- All data collection processes need to include a clear, positive opt-in (an unchecked checkbox)
- You must clearly indicate the measure of an opt-in separate from other terms (i.e written clearly next to the checkbox)
- You must include a withdrawal mechanism (an unsubscribe button) to all communications and must be clearly indicated (i.e written on its own line on the bottom of an email)
- You must name any third parties who rely on the individual’s consent in your documentation and expressed clearly with the positive opt-in
- You must record when an individual consented, what they were told at the time of consent, how they consented (e.g. newsletter subscription, at checkout, etc.) and if they have withdrawn consent (unsubscribed)
- It’s best practice to include a double opt-in process for email communications (it’s easier to keep a clean record of consented individuals)
- You may want to send out a re-permission campaign to your list of non-GDPR consenting individuals, or those you are not sure if they have given expressed or implied consent. This will clean and refresh your existing lists.
As you can see, the requirements for CEM consent are pretty identical to the CASL requirements. An additional requirement under GDPR is to obtain parental consent for children under the age of 16, which means you will now need to implement an age verification process should you believe that your organization will be collecting said data.
Here’s a quick example of a non-complying and complying GDPR consent form:
Do I Need to Alert My Customers?
If you know for a fact that your databases are scrubbed with only consenting data subjects, then technically you don’t need to send out an opt-in email like those you’ve been receiving. But if you have a shadow of a doubt, it’s best practice to send one out ASAP and go through your lists one more time.
What you do need to do is update all your documentation, send out a notice of the changes and explicitly explain the following:
- Who is collecting the data
- What data is being collected
- What is the lawful basis for processing the data
- Will the data be shared with any third parties
- How will the information be used
- How long will the data be stored for
- What rights does the data subject have
- How can the data subject raise a complaint
- Info on the data you’ll be collecting with the cookie
- What that data will be used for
- A positive opt-in button that allows the user to consent, and
- A link to a dedicated privacy page with more information
What Are The Penalties?
Should you fail to comply with GDPR, your company can be fined up to €20 million euros (~$30 million CAD), or 4% of your annual turnover, whichever is higher. On top of the fines under GDPR, individuals can also seek compensation claims for damages suffered. With stakes that high, it’s no wonder companies are scrubbing their databases and sending out emails to everyone.
It’s extremely important to have your team properly trained and educated on GDPR to avoid non-compliance. Under GDPR, it’s mandatory to appoint a designated Data Protection Officer (DPO) who assumes the total responsibility of compliance if you are:
- A public authority
- Monitoring individuals on a large scale
- Processing sensitive data
Unlike CASL, plaintiffs cannot hold individuals liable for penalties (unless of course, you’re a single entity organization) under GDPR. The role of the DPO is to be responsible for enforcing and monitoring GDPR compliance, but cannot be charged for non-compliance.
Although it may not be mandatory for your organization, it’s best practice to designate someone who is responsible for assuring the entire team is complying.
Have We Covered All Our Bases?
To be completely honest, no. There is so much more to GDPR than we can write about in one blog post. We’ve covered one of the six lawful bases of processing data: consent, and how to optimize your CEMs to be CEM compliant. There’s still a slew of information you need to be informed about, protecting data, processing requests, the rights of individuals, other lawful bases and more.
We recommend reading the entire GDPR document, along with focusing on topics that apply to your organization.
In the meantime, we’ve created a handy checklist that reflects everything we’ve covered (click the image below to visit the full PDF).