It’s less than a year until the General Data Protection Regulation (GDPR) takes effect, but Canadian organizations may not realize how much the new European data privacy standards will affect them.
Canada has had its own data privacy standards for more than 15 years, and while GDPR does have some things in common with the Personal Information Protection and Electronic Documents Act (PIPEDA), there are some significant differences. Crafted by the European Parliament, the Council of the European Union (EU), and the European Commission, the intent of GDPR is to strengthen and unify data protection for all individuals within the EU, while securing personal data exported from the EU. But although the legislation doesn’t emanate from Canada, it will significantly impact Canadian businesses—financially, operationally, and legally.
A new set of rules
GDPR is significantly different from other data protection regulations in that it’s based on citizenship, not geography, which means that it’s legislation for more than just the EU. Countries around the world are affected, and Canadian businesses are likely to find themselves within its scope.
Let’s look at it this way: If you have customers who are European citizens, you have to abide by GDPR, regardless of where you conduct your business. For example, if you run a gift shop in the nation’s capital that’s frequented by tourists from EU member states, you’re in scope. If you run an online retail business on Canadian soil but fulfill orders from EU citizens, you’re in scope.
Another important distinction of GDPR is its penalties for non-compliance. An EU organization caught not following these data privacy standards are subject to fines of up to four percent of a parent company’s annual revenue to a maximum of EU20 million. This rule is still in flux, so how these penalties might be enforced and applied in Canada isn’t, too clear, but stayed tuned—we’ll keep you posted.
A new set of obligations
GDPR is a single set of rules that apply to all EU member states and organizations conducting transactions with EU citizens. While there are similarities between GDPR and PIPEDA—like requirements for breach notifications—the new European set of data privacy standards has its own particular demands. Notification under GDPR is swift and stringent. It stipulates that the relevant Data Protection Authority (DPA) must be notified of a data breach posing a risk to individuals within 72 hours, and to affected individuals without undue delay. Last year, the Canadian government underwent a consultation process to determine how best to put in force a data breach notification requirement introduced by the Digital Privacy Act’s amendment to PIPEDA in 2015. The amendment is broad and puts a lot of discretion in hands of the organization that was breached, putting them in a position to make a significant judgment call.
Organizations may also be required to appoint a data protection officer if they’re a public authority, engage in large-scale systematic monitoring, or engage in large-scale processing of sensitive personal data. If you don’t fall under one of the categories, you’re fine. That said, it’s highly recommended that organizations assign an integrated business and tech team the responsibility to liaise with the relevant DPA and GDRP compliance authority, and follow up with internal and external legal counsel.
Another significant requirement of GDPR? Organizations have to use clear language to get consent from individuals for the use of personal data. They also have to promise not to use this data for anything other than what it’s intended for. If the purpose changes, the organization needs to renew consent. Users also have “the right to be forgotten.” Your company has to make it easy for them to withdraw consent, and any personal data needs to be destroyed immediately. Understand how to handle customer data from creation to deletion, and you’ll be all set with GDPR.
Canadian compliance unclear
One of the challenges for all jurisdictions both inside and outside the EU is how well their existing legislation meets the demands of GDPR. A driving force behind PIPEDA was to create a regulation that could guide the flow of personal information from EU states to Canada, but it’s not clear if our legislation is fully compliant with GDPR. The European legislation essentially says it recognizes the privacy rules of other countries, but will also monitor them regularly to see if they are up to snuff.
Areas still up in the air include compatibilities with breach notifications, penalties, and order-making. Canada might make the grade, but individual provinces may not. Alberta, for example, could be recognized on its own—its procedures for breach notification guided last year’s discussions around PIPEDA changes.
A looming deadline
GDPR was enacted in April 2016, and it’s live date of May 25, 2018 is coming up fast for your IT team. Already, experts are concerned that Canadian organizations won’t be ready for the new legislation. Businesses that haven’t started preparing for GDPR are already behind, and the grace period is more than half over. But because the EU data privacy standards have similarities with PIPEDA and the Canadian Anti-Spam Legislation (CASL), businesses will be able to repurpose their existing compliance efforts and technology to prepare. But you might want to seek some outside assistance to comply with the new demands.
Try consulting the 12-step GDPR guide released by the UK Information Commissioner, and HP’s GDPR Starter Kit, a software bundle that includes the tools to identify, classify, and secure information affected by the new data privacy standards. Come May 2018, you’ll be happy you prepared in advance.