If your organization has customers or employees in the EU, it is critical to understand the GDPR (General Data Protection Regulation) requirements and take the necessary steps to ensure that you will be able to comply with those requirements as of May 25, 2018.
Here are a few key points you should know as a Canadian company with customers or employees in the EU:
- The enforcement provisions in the GDPR are extremely onerous. GDPR regulators may levy heavy financial sanctions of up to 4% of the annual worldwide turnover of the organization.
- The basic principles contained in the GDPR are similar to the basic principles contained in PIPEDA, Canada’s private sector privacy law. However, the GDPR contains some specific requirements which are not currently reflected in PIPEDA, nor addressed in the draft regulations on breaches of security regulations recently released by the Canadian government. For example:
a) The GDPR contains notification requirements for information security breaches that are more demanding than those contained in the PIPEDA amendments (which are not yet in force). For instance, the GDPR requires that an organization notify regulators and affected individuals within 72 hours of becoming aware of an information security breach unless the organization can establish that there was a good reason it did not meet this timeline. In light of the GDPR, the EU Commission will likely re-evaluate Canada’s adequacy status which allows for the free flow of personal information from the European Union to Canadian organizations. As stated in the Regulatory Impact Analysis Statement for the new PIPEDA regs, “alignment [of mandatory data breach reporting requirements] is important to Canada-EU trade. …”. It is yet to be determined if the lack of a reporting timeline within which to notify regulators of a breach will hinder PIPEDA from being deemed as providing an essentially equivalent level of privacy as the EU.
b) Under the GDPR a data protection impact assessment is a mandatory pre-requisite before processing personal data for operations that present particular privacy risks to individuals due to the nature or scope of the operation. Under Canadian privacy law, privacy impact assessments have generally only been required in the public sector. My experience however is that many private entities put resources towards a privacy audit in order to identify and address risks that could lead to a privacy breach. However, there is a lack of consistency in these efforts since privacy assessments are not a legal obligation.
The EU Commission’s revised infographic gives businesses operating in the EU a succinct guide for understanding GDPR compliance. I highly recommend it when reflecting on practices and procedures to ensure GDPR compliance.
For assistance with understanding GDPR compliance or developing required data maps, contact PRIVATECH.1