Later this month, the European Union’s General Data Protection Regulation (GDPR) comes into force. Once this occurs, Canadian businesses will face new obligations for handling the personal information of individuals in Europe. This includes identity information such as name, address and ID numbers, web data such as location, IP address and cookie data, health and genetic data, racial or ethnic data, political opinions and sexual orientation.
What is the General Data Protection Regulation?
The GDPR is designed to harmonize data privacy laws across the European Union. It protects and empowers all EU citizens’ data privacy and reshapes the way organizations across the world approach client data. The regulation was officially adopted in May 2016, but companies were granted a two-year post-adoption grace period to become compliant.
How Does It Affect Canadian Companies?
Even if your company is based in Canada, GDPR compliance is a must if you do business in the EU or hold data for citizens in the EU. Companies found not to be GDPR compliant run the risk of heavy fines of up to four per cent of their global revenue.
5 Tips for Becoming GDPR Compliant
Ensuring your business is GDPR is not only essential but shows your clients that their data protection is a high priority to you. Here are five tips to help become GDPR compliant.
It’s vital that key decision makers and stakeholders in your business understand GDPR and take it seriously. You should document what client data you hold, where it came from, and who it’s shared with. The European Union have produced the following handy fact sheet that goes into more detail.
Check Your Procedures
Each company should review their internal privacy procedures to ensure compliance. This review should extend to how you will delete personal data or provide data electronically, if requested. It’s also recommended to review consent forms for EU residents and determine if any changes are necessary.
The GDPR covers the following data privacy rights for individuals:
- The right to be informed what data you hold
- The right to access data you hold
- The right to rectify any errors in data
- The right to erase any data you hold
- The right to restrict processing of data
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making, including profiling
To use client data, there must be a positive opt-in from the client under GDPR. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It must also be separate from other terms and conditions. Businesses will also be required to produce evidence of this consent if requested.
Data breaches affect businesses of all sizes. Just last week, Twitter announced a number of users’ passwords were stored in a plain text file, prompting calls for all users to update their log-in information. Your company is obliged to detect, report, and investigate any personal data breaches you find. If a breach is likely to result in a high risk of crimes such as identity theft, you will also have to notify those affected directly.
Differences with Canadian Law
Canadian consent laws have traditionally been more flexible than those found in GDPR. In Canada, most data collected by businesses is on an implied permission basis. Under GDPR, this isn’t enough. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also gives Canadian’s the right to know what information companies hold about them. The GDPR enables clients to obtain that information and download it for their own purposes.