The EU General Data Protection Regulation (“GDPR”) came into force on May 25, 2018. With so much recent focus on preparing for and meeting this deadline, there is no doubt that companies will have breathed a sigh of relief to have finally reached the finish line. Or so they thought.
In many ways, this is just the beginning. Among other things, GDPR has acted as a catalyst for “third countries” (i.e., non-EU Member States) to revise and update their data law. This is a logical consequence as many businesses based outside of the EU have to comply with GDPR with regard to their European customers, and some international companies are choosing to implement a single GDPR-compliant standard globally rather than battle the complications of applying different rules around the world. Argentina and Japan, for example, have already started to align their national data protection legislation with GDPR, and Canada is now looking to do the same.
There are already updates to Canada’s data protection rules coming into force in November of this year, but they are not as stringent as GDPR. For example, under Canada’s new federal data breach regulations, companies will be required to report security breaches that pose a “real risk of significant harm” to the federal privacy commissioner and consumers “as soon as feasible,” whereas under GDPR companies must notify regulators and consumers of any data breaches within 72 hours. Particularly in the wake of recent high-profile data leaks and misuse, many in Canada are calling for higher standards to be imposed.
To this end, the Standing Committee on Access to Information, Privacy and Ethics published a report titled “Addressing Digital Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process” on June 19, 2018, which proposed additional amendments to the Personal Informational Protection and Electronic Documents Act (“PIPEDA”) recommending the immediate introduction of measures to ensure that data protections similar to those applicable under GDPR are put in place for Canadians. In particular, the report suggests that Canada’s privacy commissioner should, similar to GDPR, have greater authority to impose hefty penalties, conduct audits, and seize documents should organisations fail to comply with PIPEDA. A private member’s bill regarding this specific recommendation has already been introduced to the Canadian Parliament.
Also on June 19, 2018, the Canadian government launched national consultations on digital and data transformation. The first roundtable discussion between the government and various stakeholders took place in Ottawa on the same day. These roundtables will continue as part of the consultation process across the country throughout the summer, and citizens are also invited to submit responses online. Although the consultation is still in its early days, it appears that there is an appetite in Canada to go beyond GDPR. Former Information and Privacy Commissioner for the Canadian province of Ontario, Dr. Ann Cavoukian, said that “It would be almost like a step back for us not to raise the bar,” and some industry experts are arguing for the new rules to require Canadian companies to undertake independent audits to certify compliance with the new data privacy laws, which goes beyond current GDPR requirements.
Ready or not, Canadian business may face sanctions under EU’s new privacy law
Experts say many Canadian firm have only recently become aware that they may be covered by new EU policy
Any Canadian business that collects personal information about residents of the European Union — whether they’re tourists, students or online customers — risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.
But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU’s General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.
“Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this,” Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.
That’s equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.
Besides having potentially hefty fines, the GDPR’s scope is also sweeping.
It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.
One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules — plus the potentially devastating impact of being hit with a fine for violating the law.
Among those raising the alarm is Jake Ward, a spokesman for the recently formed Data Catalyst advisory council, which aspires to educate policy makers and businesses about the importance of the data-driven economy.
“Now, I’m not saying that it’s a bad bill, because I don’t necessarily think it is,” Ward said in an interview.
“But there could have been some steps taken to appreciate that the challenges of small businesses is different from the large.”
For example, he said, a fine of four per cent of annual revenue would be very painful for a large company like Facebook or Google but “that’s a death sentence for a small company that gets hit with a GDPR fine.”
While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.
However, it may impose the biggest fine applicable in a particular case and the ultimate maximum fine could be either 20 million euros ($30 million Cdn), or four per cent of a company’s annual global revenue, whichever is greater.
Brown said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready too.
‘Under the radar’
A top priority for them, she said, is to respond quickly if somebody requests access to their personal information or corrections to what’s on file about them — both rights recognized by the GDPR.
“Smaller businesses in Canada may fly under the radar for awhile, because the supervisory authorities are going to have to prioritize, but if somebody lodges a complaint — they’re going to come,” Brown said.
“From a financial, from a legal and a reputational perspective, you really don’t want a European supervisory authority knocking on your door.”
They can begin to protect themselves by having a process in place for dealing with GDPR issues, as soon as possible, Brown said.
“Do an inventory of the data you have, understand why you have it and document it.”
It’s also important to be able to locate the information, which may reside in multiple places such as an in-house system, on a “cloud” service on somebody else’s servers, or on a mobile device like a smartphone, said Matthew Tyrer, a senior manager at the Ottawa office of data protection company Commvault.
The arrival of GDPR has been an opportunity for Commvault as well as any Canadian company that can demonstrate it has taken the effort to protect their customers’ personal data, Tyrer said.
“It will just make you that much more competitive and these are things we should probably have already been doing in the first place, when you look at the basics.”
READ ALSO – GDPR in USA: California Passes Groundbreaking Consumer Data Privacy Law With Fines for Violations, But Facebook and Google are Ready to BLOCK it!
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious competitors – It Pays Off!