In May 2018, the most significant privacy regulation ever will take effect. The General Data Protection Regulation (GDPR) is an EU measure, but US and Canadian companies who think it doesn’t affect them are in for a rude awakening.
GDPR affects anyone storing sensitive data about anyone in an EU member state, putting most larger Canadian companies on the hook. It carries the strongest requirements that we have yet seen, raising the bar for Canadian companies.
Companies have no choice but to hit that bar. Those violating the requirements could find themselves paying €20 million, or 4% of their global revenue, whichever is higher. So, what changes are they looking at?
Canadian firms would have previously relied on the Personal Information Protection and Electronic Documents Act (PIPEDA) when dealing with privacy issues, but there are some significant differences between the two.
Data portability is one example. PIPEDA lets Canadians find out what information companies hold about them, but GDPR goes a step further. It lets individuals ask for that information in a machine-readable form, so that they can take it somewhere else.
GDPR also imposes new requirements around consent. Canadian law relies on implied consent – the idea that individuals can consent once to a company collecting information and then using it in diverse ways. In a single agreement. GDPR forces companies to get different consent for different uses of that data. They can’t roll it up into a single package.
Another one is the right to erasure. This enables an individual to ask for any of their personal data to be erased without undue delay.
Expect to see some changes to Canadian privacy law at some point in the future. Lawmakers wrote PIPEDA to be technology-neutral, but they wrote it in 2000, and even the best-worded legislation begins to age a little after almost two decades of breakneck technological change. Federal Privacy Commissioner Daniel Therrien has already cited GDPR in a consultation on Canada’s consent laws as part of PIPEDA.
“One of the objectives of OPC’s review of the consent model will be to ensure Canada’s laws remain adequate,” he has said.
Therrien can’t do anything to PIPEDA himself – that’s up to policymakers – but they will have to review things, because they’ll want to maintain Canada’s privileged relationship with Europe. As it stands, the EU has a finding of adequacy with Canada, meaning that they think its laws are adequate to allow the free exchange of personal data between companies in the two countries. If Canada’s laws aren’t revised to meet GDPR’s new standard, that adequacy may be called into question.
While lawmakers work out these nuances, companies must prepare themselves to tow the GDPR line. Where do they begin? There are several steps that they should take to ready themselves for compliance.
In January, the UK Information Commissioner’s Office released a 12-step guide to prepare for GDPR. Preparatory measures run the gamut from organizational to legal and beyond. We’ve distilled some of the major steps here:
Get staff on board
Hardly anyone in your organization is likely to be aware of the impending GDPR-pocalpyse, let alone on top of the announcement. Make them aware.
Review your data holdings
Work out which personal data you hold, and review how you’re getting it and who you’re sharing it with. That includes third party contractors (aka ‘data processors’ in GDPR lingo), who will also be affected by the new regulations.
Review your communications
GDPR changes the way that you tell customers about privacy, and what you tell them about. Your communications and legal team can help you hit the necessary marks when disseminating privacy information.
Ensure that you can support individuals’ requests
GDPR enhances individual rights in key areas such as accessing their information, correcting inaccuracies in it, and even erasing it. Companies must have procedures that support those requests, and it may take some extra programming work.
Review your legal position on data processing
you may be happily processing information under current laws in ways that won’t stand up under GDPR. Review your legal basis for processing personal data. One critical area here is how you obtain consent for that processing. Another involves how you process data about children, and how you determine someone’s age. GDPR imposes special protection for minors’ personal data.
Review (or create) your data breach reporting policy
Outside of specific provinces, Canadian organizations don’t currently face any data breach reporting requirements. The Data Privacy Act promised to change those rules, but its breach notification requirements haven’t been enforced at the time of writing. GDPR does impose data breach notification requirements, and affected companies must create procedures to meet them.
Prepare a privacy impact assessment
The GDPR introduces requirements for privacy by design. It’s a concept created by former Ontario privacy Commissioner Ann Cavoukian that helps build privacy into systems at the design level, rather than adding it as an afterthought. Prepare privacy impact assessment procedures that you can apply to existing and new systems, ensuring that they comply.
Consider a data protection officer
Putting someone in charge of privacy is a requirement for some organizations under GDPR. This data protection officer can be an internal employee or an external consultant. Making someone explicitly responsible for privacy is no bad thing, even if GDPR doesn’t explicitly require your company to have one.
Work out which regulator you’re reporting to
The EU leaves it up to national privacy and information regulators to enforce the GDPR requirements. if your company deals with citizens in different EU member states, consult your lawyer to find out which regulator you should be reporting to.
Complying with GDPR will be a more complex process than many companies realize, yet there is barely more than a year left to get everything arranged. Expect a multi-disciplinary effort, involving legal counsel, privacy officers, and technology staff. Start now, if you haven’t already, and expect some heavy lifting.