By David Young (David Young Law)
On May 25, 2018 the European Union (EU)’s General Data Protection Regulation (GDPR) will come into force, with significant impact on businesses around the globe. The GDPR raises the bar for privacy compliance as the successor to the EU’s Data Protection Directive.
Under the Directive, non-EU organizations are required to comply only if they operate or conduct information processing through facilities located in the EU. By contrast, the GDPR will apply to any organization, wherever located, that uses the personal information of EU residents to market products to them or to “monitor” their behaviour.
Additionally, it is the GDPR’s significantly higher penalties that have caught the attention of businesses in non-EU countries, particularly Canada and the United States - up to 20 million euros (circa C$30 million) or 4% of annual worldwide revenues.
Where do Canadian businesses stand?
PIPEDA has been recognized as providing an “adequate” level of privacy protection relative to the Directive. While the GDPR represents a significant advance in the rigour of privacy protections, for the most part its rules can be characterized as incremental to the Directive. It is therefore not unfamiliar to Canadian businesses required to comply with our national privacy law, PIPEDA.
A review of compliance requirements under the GDPR reveals that many of them are reflected in Canadian privacy law already. An example is the GDPR’s requirement for organizations that process sensitive personal information on a large scale to appoint a “data protection officer”. This rule is equivalent to the Canadian privacy law requirement for organizations to have an office, or individual, responsible for compliance – typically titled the Privacy Office (or Officer).
New compliance requirements that businesses need to address
A number of the GDPR’s rules are potentially more rigorous relative to those under PIPEDA.
Breach Reporting: GDPR requires organizations to report data breaches to the relevant regulator within 72 hours of an occurrence. While PIPEDA has been amended to provide for reporting of breaches, as well as notification of affected individuals (also a new GDPR requirement), it does not stipulate a specific time period for reporting.
Organizational Accountability: Organizations must document policies and procedures, maintain detailed records of all data processing activities, conduct privacy impact assessments for high-risk processing and generally ensure all data protection initiatives adhere to the principle of “privacy by design and by default”. While some features of this requirement go beyond what is stipulated expressly under PIPEDA, this dictate is consistent with guidance issued by both the Canadian federal and provincial Privacy Commissioners.
Enhanced privacy rights for individuals
The GDPR also stipulates a number of new or enhanced substantive privacy rights for individuals which organizations potentially will need to address in their privacy protection procedures.
Consent: Consent must be a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of his or her personal data and must be given by a statement or a clear affirmative action. While this is consistent with Canadian law, execution ensuring satisfaction of the GDPR standard may require businesses to review and potentially upgrade their data collection and consent capture procedures.
Data Portability and Deletion: The GDPR contains new rights of data portability – the right of individuals to transfer all their data from one organization to another, such as when changing banks – and to deletion, or erasure (the “right to be forgotten”). While not specifically provided for under Canadian privacy laws, these new data portability and erasure rules might be characterized as adjuncts to our right to withdraw consent. However, in order to comply with them, organizations may be facing significant added costs in upgrading their information management and data retention protocols.
Canadian businesses will need to assess the likelihood of the GDPR applying to them. If it does – or might – apply, assess the degree to which your current compliance status requires adjustment. A compliance risk assessment can be applied - factor in the likelihood of regulatory enforcement given your potential exposure to the GDPR and whether your activities are likely to draw the early attention of EU regulators.
The assessment may identify procedures that need to be adjusted and/or “red flagged” to ensure a compliant response if an affected activity is involved, without necessitating at the outset a full revision of all documented policies and procedures. While such a revision would be the longer-term goal, an interim compliance strategy of responding where needed while learning from ongoing experience, may be a practical approach in the early days of the GDPR. This will help organizations assess exactly how the new law will, or may be, applied to them.