GDPR : What European Privacy Regulations Mean for Canadian Businesses
By Kate Furber , CPA , CA , PwC Canada
If your business has relationships with the European Union ( EU ), you ’ ll want to make sure you ’ re up to date on the EU ’ s privacy legislation , as one of the toughest privacy regulations in decades will come into full effect in Europe on May 25 , 2018 . Named the EU General Data Protection Regulation ( GDPR ), this new regulation is intended to harmonize data protection across EU member states , giving customers and employees in the EU greater control over how their personal information is gathered , managed , and used . The GDPR signals a significant change in the way businesses need to handle privacy . And with non-compliance penalties and fines of up to 4 % of a company ’ s total worldwide annual revenue , as well as the looming prospect of consumer class action lawsuits , there are strong incentives for businesses to ensure they are in compliance right from day one .
Does the GDPR apply in Canada ? The first thing to understand is that businesses do not need to have a physical presence in Europe to be subject to the GDPR . The GDPR affects businesses with activities in the EU , including :
• Consumer-facing activities ;
• Employee activities ;
• Marketing and advertising ;
• Geolocation , profiling , or tracking ;
• Mass communications ;
• Global business operations ; and
• Service provider relationships .
Accordingly , Canadian organizations need to move quickly to determine if these regulations will apply to their business . The GDPR will apply if your business : 1 . Offers goods or services to individuals in the EU or monitors the behaviour of individuals in the EU ( e . g ., through cookies , IP addresses , closed-circuit television , etc .); 2 . Has a physical presence or a representative inside the EU and processes any personal data ( EU or otherwise ) inside the EU ; 3 . Has service providers that are either established in the EU and process any data ( EU or otherwise ) inside the EU , or processes EU data outside of the EU ; and / or 4 . Has supply chain members or business-to-business clients that require them to be
GDPR-compliant .
What are some of the big changes under the GDPR ? For Canadian businesses , complying with the GDPR will require strong data management , notification , and documentation processes , as the GDPR represents a need to significantly raise the bar for personal privacy rights and requires companies to manage data more effectively . Aspects of the GDPR that will have the biggest impact on businesses include the following : 1 . Mandatory maintenance of data inventory and record-keeping of all internal and third-party processing of personal data ;
2 . Mandatory 72-hour notification to regulators and individuals in the event of a data breach , as well as documentation of breaches to provide to regulatory authorities upon request ;
3 . Increased rights for individuals , including the rights to :
• Request erasure of their data ;
• Request access to all data that a company has about them ;
• Have their data sent to another company in a “ machine-readable format ”; and
• Object to the processing of their data , including for automated decisionmaking .
4 . Data protection impact assessments that must be completed for technology and business changes along with the implementation of privacy by design ( see sidebar on page 28 ); and
5 . Mandatory data protection officers and an overall redesign of privacy strategy , governance , and risk management .
What ’ s more , serious contraventions of the law could be punishable by fines of up to either 4 % of group global annual worldwide turnover or 20 million euros ( whichever amount is greater ). In addition , citizens and special interest groups will have the right to engage in group litigation ( class actions ) to recover compensation for distress caused by contravention of the law .
Pe3check / iStock / Thinkstock
26 CPABC in Focus • March / April 2018