The GDPR – What you need to know

Thought Leadership

For the longest time businesses have been competing on elements such as sales and margins. Today, offering a differentiated customer experience is what companies are focusing on to steal market share; they are aware of the growing need to collect more information on their customers. With personalized communications representing one of the most effective ways to engage customers, businesses are heavily leaning on a highly valuable resource: data. But be careful! Data leverage must be handled with care and transparency must be provided to consumers. The Canadian government takes this very seriously and introduced anti-spam legislation in 2014 (CASL), which is now an integral part of any marketer’s life.

Another piece of legislation was recently implemented on the other side of the Atlantic: The General Data Protection Regulation – GDPR. I felt it was important to take a few minutes to expand on the information available and provide you with a clear perspective on what this regulation entails.


The new General Data Protection Regulation came into effect on May 25th, 2018.

It affects businesses, public organizations and any entity that collects personal information of European residents. Subcontractors working for these organization are also subject to the regulation.

The impact of the GDPR however extends beyond the boundaries of Europe. If a Canadian marketer collects personal data and sends emails to individuals living within the EU, they must be able to justify the type of data they are collecting and their purpose for doing so.

Personal data

What types of data are considered personal?

Personal data is deemed to be any information that allows someone to directly or indirectly (through cross-checking) identify an individual. This includes: last name, first name, email address, postal code, IP address, telephone number, place and date of birth, credit card number, photo, age, gender, DNA, biometric data, genetic data, online behavior (such as websites visited), interactions on social networks, etc.

This data exists and is housed in companies’ customer databases. The data affected is therefore not limited to data sourced from social networks such as Facebook, as was the case in the Cambridge Analytica scandal.

The 4 key principles

1. Consent

Consent as defined by the GDPR shares certain similarities with Canada’s Anti-Spam Legislation (CASL):

  • It requires a person to take action (i.e. no pre-checked boxes in email subscription forms).
  • It must be presented separately in terms and conditions (i.e. a person cannot be forced to opt in to communications if they wish to access a white paper).
  • It must be easy to withdraw/unsubscribe from communications.
  • It must be able to prove three criteria Who/When/Where: who consented, on which occasion (place, date) and in what context (collected in-store, web form, etc.).
  • The regulation also applies to past consent: The GDPR applies not only to consent obtained after May 25th, but to all consent obtained prior to that date. If consent was not obtained according to GDPR standards, it must be collected again.

2. Transparency

Organizations must explicitly indicate to users how their data will be used. This information must be clearly presented and worded so as to be easily understood by the general public. It must also be easily accessible (i.e. on a website, in a form).

Furthermore, the principle of transparency applies if hackers access the personal data held by an organization. If this occurs, the organization has 72 hours to alert the authorities of the scope of the leak (type and volume of data). The organization must also directly communicate with each person affected by the data leak (and not only through a website or social media).

3. Rights of individuals

Right to be forgotten

If a person no longer wishes for their personal data to be used, they may ask an organization subject to the GDPR to delete their data. Organizations have a month to comply.

Data portability

The right for any individual to ask an organization who is collecting their data to provide all the data they possess on them in a downloadable, structured format.

Data can only be transferred to another data processor if requested by the person concerned. Based on the GDPR text, we can deduce that in theory the sale of personal data without an individual’s consent is no longer permissible.

4. Responsibility

It is incumbent on each organization to apply the principles set out in the GDPR and to provide proof of compliance if necessary.

Organizations must therefore adapt from a technical and organizational viewpoint in order to respect the articles and clauses of the GDPR.

A DPO (Data Protection Officer) must be appointed if the organization uses personal data on a mass scale or if it is a public organization. The DPO is responsible for ensuring the organization has implemented the necessary steps and processes to be GDPR compliant.


There has also been much talk about the potential sanctions that organizations will face if they fail to comply with the GDPR.

The maximum penalty can be as high as 20 million euros ($30 million CAN) or 4% of a company’s total annual income, whichever amount is greater.


The GDPR has received much attention: new principles, international impact and the scale of sanctions.

As is the case for any new legislation, it is best to take a step back; the GDPR is still very new and there is little jurisprudence and interpretation to date. Aside from what has been written about potential sanctions, we must wait for a certain number of legal decisions to occur before we can truly know the exact cost of these sanctions.

At Relation1, we believe the principles of the GDPR are pertinent. We all generate a significant share of data that is increasingly easy to exploit thanks to advances in technology (AI in particular). Greater transparency concerning collected data makes sense, since it contributes to creating a stronger climate of trust. I view it as being similar to the concept of traceability, which allows a client to know the origin of the product they purchased and how it was grown or manufactured.

Being more aware of the data they generate and its potential, customers are also becoming more demanding of the organizations with whom they interact. We should all, as consumers, feel more recognized over time through personalized experiences and interactions with meaningful content that reflects our interests.

That’s why, in our opinion, the GDPR is worthwhile. It should help enrich the customer experience by nourishing a win-win relationship between consumers and organizations.

How about you? What’s your stand on all of this?

© Relation1. All Rights Reserved