Out of the sea of acronyms comes yet another, GDPR, which stands for “General Data Protection Regulation.” It comes into effect May 25, 2018 and you’ll want to know more if your business or website touches the European Union (EU).
- You could face hefty fines and possible class action lawsuits if regulators find you are not complying with this rigorous revamp of privacy law.
- Yes, it’s the EU but just as Canadians can ding non-Canadians for breaking our own law (PIPEDA – more about that later), if we break GDPR, EU can go after us.
- You’re potentially more eligible for compliance when collecting EU citizens’ personal information since the scope of data protection is larger.
- You might be surprised at how much you have to do to comply.
This is to help you see what you might need to explore around privacy and the collection of personal data, even for us in Canada. I’m not a lawyer or professional expert in this field, but I want you to be aware of how this might affect your website and your business.
And what do privacy legal experts say?
According to Dean Dolan, Toronto-based counsel in the International Commercial Practice of law firm Baker & McKenzie LLP, “GDPR will change the privacy law landscape for any Canadian organization that deals with the personal information of European Union citizens…It will require Canadian organizations to up their game on privacy compliance because any Canadian company that deals with even a small amount of EU-citizen data is vulnerable.”
How does it impact Canadian companies, from start-up to enterprise? As Kate Furber (audit and risk assurance partner leading PwC’s BC region technology, communications, retail and consumer practice) explains,
“Aspects of the GDPR that will have the biggest impact on businesses include the following:
- Mandatory maintenance of data inventory and record-keeping of all internal and third-party processing of personal data;
- Mandatory 72-hour notification to regulators and individuals in the event of a data breach, as well as documentation of breaches to provide to regulatory authorities upon request;
- Increased rights for individuals, including the rights to:
- Request erasure of their data;
- Request access to all data that a company has about them;
- Have their data sent to another company in a “machine-readable format”; and
- Object to the processing of their data, including for automated decision-making.
- Data protection impact assessments that must be completed for technology and business changes along with the implementation of privacy by design; and
- Mandatory data protection officers and an overall redesign of privacy strategy, governance, and risk management.”
Your business doesn’t have a physical presence in the EU? Doesn’t matter.
You don’t sell products internationally? Doesn’t matter.
If you are collecting personal data on EU citizens through a form on your website or anywhere else, GDPR compliance means you must have corporate privacy compliance infrastructure rules in place to manage that data, as well as complying with enhanced privacy rules.
And even for companies outside the EU, Kate Furber says, “…serious contraventions of the law could be punishable by fines of up to either 4% of group global annual worldwide turnover or 20 million euros (whichever amount is greater). In addition, citizens and special interest groups will have the right to engage in group litigation (class actions) to recover compensation for distress caused by contravention of the law.” GDPR protects EU members no matter what country they are currently in.
So, what do you need for GDPR compliance in Canada?
First, you need to see if the GDPR applies to you.
It’s not just what you collect on forms – think in terms of cookies, IP addresses, and closed-circuit television. And as David Young writes, “[c]onsideration must include whether the company collects, uses or even simply inventories any EU residents’ information for marketing or data analysis purposes.” Also, compliance is required by:
- Your service providers (third party data processing of EU-related personal data anywhere);
- Your supply chain firms; and
- Your business-to-business clients.
Learn more about GDPR and Cookies: see enclosed article provided by One Trust (see page 9 of PDF document)
Next, you need to see how your existing data protection practice might need to be adjusted.
We are lucky to be on the road to GDRP compliance. Canada enacted our own privacy law in January 1, 2001, called the Personal Information Protection and Electronic Documents Act (PIPEDA). But the GDPR is more stringent. For example, as mentioned above, breaches must be reported within 72 hours.
As David Young, Principal at David Young Law, states, “Other examples include the GDPR’s enhanced consent rule — requiring a freely given, informed and unambiguous statement or clear affirmative action, and the new right to be forgotten. These rules are not unfamiliar to Canadian privacy law but will dictate a review and potential upgrading of policies and procedures by those companies subject to the GDPR.”
This includes the implementation of Privacy by Design (PbD). Ontario residents might take pride in the fact this framework was created by three-term Ontario Privacy Commissioner Ann Cavoukian, now the Executive Director of Ryerson University’s Big Data and Privacy Institute. At the 2010 International Conference of Data Protection Authorities and Privacy Commissioners, a resolution was unanimously passed to recognize it as “an essential component of fundamental privacy protection.”
What is Privacy by Design?
There are many players in privacy protection, including but not limited to:
- Data management, where it’s no small feat to end up with clean, tagged, and mapped data that is consistently named, with personal information identified, across all the platforms now possible;
- Lawyers, to define what data is private and how it can legitimately be used. Also, they need to help define your system of governance and compliance, and how to apply this to your data setup; and
- Lines of business, to see which are most affected. For marketing and sales, it’s a lot, while for accounting, not so much.
As Dean Dolan explains, “The goal is to architect a system that not only responds to the challenges of GDPR compliance, but also has the flexibility to respond to a changing privacy seascape—privacy regulations aren’t going to become less stringent in the future. This is called Privacy by Design (PbD).”
Foundational Principles in Privacy by Design:
There are seven foundational principles in PbD. Briefly, they are:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality (“Win-Win” so it’s possible to accommodate all legitimate interests and objectives, like privacy and security.)
- End-to-End Security — Full Lifecycle Protection (Cradle to grave, secure lifecycle management of information, end-to-end.)
- Visibility and Transparency — Keep it Open (Trust but verify.)
- Respect for User Privacy — Keep it User-Centric
What are next steps for data privacy?
It will take you a while to put everything in place. Fortunately, it will also take time for the regulators to find you. In the meantime, your short-term tactics could include identifying where you can limit or eliminate the GDPR’s effect. For example, take the personal information out of EU data you want to use. To ensure website compliance – users must be able to easily opt-in and out at any time.
And, don’t track site visits on an EU web page using cookies or forms.
If you do continue to use a form for EU citizens, you must adhere to the GDPR’s demand for respondents’ explict (active) consent and full awareness that personal information is being collected. So, above the form, put a paragraph clearly stating that:
1) by filling it in, respondents are offering up their personal information (whether that be a name, email address, IP address, or other such information);
2) they can choose not to give the information; and
3) they can request to have it removed.
After all this, I’m going to have look at my own methods for collecting personal information (Name, Address, Phone number, IPs, dates of birth, etc.). I need to check how I store it and make sure that my site’s visitors know I’m not sharing it with others.
What about you? How are you going to react to this new legislation? Compliance with GDPR is probably is essential whether or not you deal with EU citizens. I’d love to get your feedback. What protection policies do you have? What does your risk assessment plan look like? Do you have further questions I can explore concerning GDPR in Canada?