The unprecedented flow of information across national borders today with few barriers consequently led to domestic data protection laws having increasing implications abroad. A prime example would be the much discussed European legislation called GDPR (Global Data Protection Regulation). GDPR will have implications for Canadian businesses of all types and sizes, adumbrating new measures for them to adopt so as to lawfully hold the data of EU citizens.
In essence, GDPR expects mainly two things from businesses.
- Obtain consent for all EU citizen data held
- Implement internal processes to guarantee the protection of data
GDPR was adopted by the European Parliament in April 2016, and will come into effect on May 2018 replacing Data Protection Directive 95/46/EC. Any global organization that holds data on an EU citizen is liable to comply or incur hefty penalties. This applies to organizations, holding EU citizen data, physically located in Canada as well.
Canadian organizations, from startups to SMBs, have to assess the impact of GDPR on their activities and the potential changes to be made to apply it in order to stay onside of the new law.
Key points for Canadian businesses
The GDPR impacts Canadian businesses in many ways. The most important thing is that a Canadian business doesn’t need to be physically located in the EU in order to be included under GDPR. Holding the data of an EU citizen will have the organization be covered by the regulation. Failure to comply will incur massive fines that can come in two tiers.
The first is a big fine that could go up to €10 million or 2% of the business’ global annual turnover, whichever is higher. The second tier is an even bigger fine of up to €20 million or 4% of the business’ global annual turnover.
Notable obligations that apply under GDPR
The new regulation demands a number of obligations that do not exist in Canada. Here are a few to take note of.
- Obligations on controllers and processors – Statutory obligations are imposed on:
- Controllers – Persons who determine purposes and means of the processing of personal data of EU citizens.
- Processors – Persons who process data on behalf of the controllers.
Canadian privacy laws apply only to controllers who are in turn responsible for the processors’ compliance. Now GDPR imposes obligations on both parties.
- Consent for processing – Personal data can be processed (which includes collection, storage, usage, disclosure, erasure) under the new regulation only when certain conditions/requirements are met, one of which being consent. If consent is not obtained, there are alternative grounds to processing personal data.
- Security & privacy measures – Controllers and processors are obligated to implement appropriate measures to ensure a level of security based on the risk. These measures should also take various considerations set out in the GDPR into account.
- Breach notification – In case of a personal data breach, the controller is obligated to notify the supervisory authority within specific time-frames. The data subject must also be conveyed without delay.
- Automated processing – There are many provisions in the GDPR regarding automated decision-making and processing of data.
- Right to be forgotten – Data subjects now have the right to have their personal data erased without undue delay in a number of circumstances, particularly when the data are no longer necessary for the purpose it was collected for in the first place. There are limitations to this right however, particularly to the extent the information is necessary to exercise the rights of freedom of expression and information and for the establishment, exercise or defense of legal claims.
- Mandatory data protection officer – As part of the measures to safeguard personal data of EU citizens, controllers and processors of an organization must designate a data protection officer if:
- A public body or authority is carrying out the processing of data.
- Their core activities include systematic monitoring of data subjects on a large scale.
- Their core activities include processing certain categories of data (data revealing ethnic/racial origin, religious/philosophical beliefs, political opinions etc.) on a large scale.
The officer employed should have in-depth knowledge of data protection laws and practices, and should abide by the rights and responsibilities set out by GDPR for that designation.
How Canadian business’ can approach compliance
The best way to start is to conduct a complete GDPR compliance assessment. The company’s policies and practices can be evaluated, and gaps relative to GDPR requirements can be identified. Once the gaps are identified, the organization can devise and employ different strategies to achieve GDPR compliance efficiently. To some extent, this also depends on the scale at which an organization operates and how it operates.
For example, an organization can simply isolate the data that is subject to GDPR and then figure out a way to efficiently implement the compliance plan for that data. Other organizations may have to take a different approach.
Organizations that adhere to PIPEDA will have an easier journey towards GDPR compliance as there are similarities between both regulations. However, some aspects of GDPR do not have an equivalent in PIPEDA (data protection officer, for instance). Moreover, the breadth of these obligations and the potential underlying complexities require the compliance plan to be devised considering the inputs from stakeholders across the organization.
May 2018 is already here. Early starters have had sufficient time to set up GDPR compliant processes. However, it’s still not too late for Canadian businesses to take measures. A compliance assessment is how they can get started, and it would be much easier, given the limited time-frame, with the help of both legal counsel and data protection experts. Devising and implementing the plan comes next.
Even if some organizations may not make it in time, an audit can help prove that they have taken measures to securing the subject data they hold. GDPR compliance could also be a key differentiator for Canadian businesses very soon, and those that haven’t taken the steps towards compliance would be pushed back far. With a hefty fine on top, businesses can be sealed shut for good if they are not willing to make a move now.