The role of insights

SEE TIPS

GDPR’s Impact on Canadian Businesses – Preparing for EU’s New Privacy Law

Feb 28, 2018
GDPR Privacy

On May 25, 2018 the European Union (EU)’s General Data Protection Regulation (GDPR) will come into force, with significant impact on businesses around the globe. The GDPR raises the bar for privacy compliance as the successor to the EU’s Data Protection Directive.

Under the Directive, non-EU organizations are required to comply only if they operate or conduct information processing through facilities located in the EU. By contrast, the GDPR will apply to any organization, wherever located, that uses the personal information of EU residents to market products to them or to “monitor” their behaviour.

Additionally, it is the GDPR’s significantly higher penalties that have caught the attention of businesses in non-EU countries, particularly Canada and the United States - up to 20 million euros (circa C$30 million) or 4% of annual worldwide revenues.

Where do Canadian businesses stand?

PIPEDA has been recognized as providing an “adequate” level of privacy protection relative to the Directive. While the GDPR represents a significant advance in the rigour of privacy protections, for the most part its rules can be characterized as incremental to the Directive. It is therefore not unfamiliar to Canadian businesses required to comply with our national privacy law, PIPEDA.

A review of compliance requirements under the GDPR reveals that many of them are reflected in Canadian privacy law already. An example is the GDPR’s requirement for organizations that process sensitive personal information on a large scale to appoint a “data protection officer”.  This rule is equivalent to the Canadian privacy law requirement for organizations to have an office, or individual, responsible for compliance – typically titled the Privacy Office (or Officer).

New compliance requirements that businesses need to address

A number of the GDPR’s rules are potentially more rigorous relative to those under PIPEDA. 

Breach Reporting: GDPR requires organizations to report data breaches to the relevant regulator within 72 hours of an occurrence. While PIPEDA has been amended to provide for reporting of breaches, as well as notification of affected individuals (also a new GDPR requirement), it does not stipulate a specific time period for reporting.

Organizational Accountability: Organizations must document policies and procedures, maintain detailed records of all data processing activities, conduct privacy impact assessments for high-risk processing and generally ensure all data protection initiatives adhere to the principle of “privacy by design and by default”.  While some features of this requirement go beyond what is stipulated expressly under PIPEDA, this dictate is consistent with guidance issued by both the Canadian federal and provincial Privacy Commissioners.

Enhanced privacy rights for individual

The GDPR also stipulates a number of new or enhanced substantive privacy rights for individuals which organizations potentially will need to address in their privacy protection procedures.

Consent: Consent must be a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of his or her personal data and must be given by a statement or a clear affirmative action. While this is consistent with Canadian law, execution ensuring satisfaction of the GDPR standard may require businesses to review and potentially upgrade their data collection and consent capture procedures.

Data Portability and Deletion: The GDPR contains new rights of data portability – the right of individuals to transfer all their data from one organization to another, such as when changing banks – and to deletion, or erasure (the “right to be forgotten”). While not specifically provided for under Canadian privacy laws, these new data portability and erasure rules might be characterized as adjuncts to our right to withdraw consent. However, in order to comply with them, organizations may be facing significant added costs in upgrading their information management and data retention protocols.

Now What?

Canadian businesses will need to assess the likelihood of the GDPR applying to them. If it does – or might – apply, assess the degree to which your current compliance status requires adjustment. A compliance risk assessment can be applied - factor in the likelihood of regulatory enforcement given your potential exposure to the GDPR and whether your activities are likely to draw the early attention of EU regulators.

The assessment may identify procedures that need to be adjusted and/or “red flagged” to ensure a compliant response if an affected activity is involved, without necessitating at the outset a full revision of all documented policies and procedures. While such a revision would be the longer-term goal, an interim compliance strategy of responding where needed while learning from ongoing experience, may be a practical approach in the early days of the GDPR. This will help organizations assess exactly how the new law will, or may be, applied to them.

AUTHORED BY
profile picture

David Young

Principal David Young Law

Ethics and Standards Committee



UPCOMING EVENTS & LEARNING OPPORTUNITIES

|

VIEW ALL

LATEST PERSPECTIVES

 | View All

Must-know 2024 Code updates for marketers

Apr 23
Tag:Code Tag:Standards
Council

Brand marketing: The essence of marketing

Apr 18
Tag:Brand Tag:Thought Leadership
Council

Cannes you have your Lion and eat it too?

Apr 16
Tag:Agency Tag:Partners
Council

Harnessing hyper-personalization in modern marketing

Mar 27
Tag:Marketers Tag:Thought Leadership
Council

Humour in creative campaigns

Mar 15
Tag:Creativity
Council

Navigating global brand positioning

Mar 08
Tag:Brand Tag:Thought Leadership
Council

Media trends to watch for in 2024

Mar 01
Tag:Media Tag:Trends
Council

Advice for marketers from the CMA Insights Council

Feb 29
Tag:Insights Tag:Thought Leadership

Taking Stock: Canada’s Digital Charter

Feb 29
Tag:Digital Tag:Standards

Proposed online harms law: What marketers need to know

Feb 28
Tag:Digital Tag:Standards
Council

Six tips for achieving your 2024 goals with consumer insights

Feb 20
Tag:Insights Tag:Thought Leadership

Ontario adopts updated consumer protection law

Feb 01
Tag:Consumer Protection Tag:Standards

Embracing AI as more than a buzzword

Jan 22
Tag:Adtech Tag:ai

Tips to avoid deceptive marketing

Jan 17
Tag:Deceptive Marketing Tag:Standards
Council

Knowing when to exceed customer expectations

Jan 15
Tag:CX Tag:Thought Leadership
Council

Enrich CX with a passwordless future

Jan 11
Tag:CX Tag:Thought Leadership

How AI is infusing empathy into digital CX

Jan 08
Tag:ai Tag:CX

Upskilling for marketers: Future-proofing talent

Jan 03
Tag:Professional Development Tag:Talent

Get up to speed on California’s privacy law

Dec 19
Tag:Privacy Tag:Standards

Contests 101: What marketers need to know

Dec 13
Tag:Contests Tag:Standards
Council

Unpacking consumer trends for future-ready marketing

Dec 08
Tag:Consumers Tag:Trends

The momentum and opportunity of AI for marketers

Dec 01
Tag:ai

Ontario’s proposed protections for consumers

Nov 21
Tag:Consumer Protection Tag:Standards

Have your say: New federal consultations affecting biometrics and generative AI

Nov 13
Tag:ai Tag:data

What You Should Know: Final consent guidance from Quebec’s privacy regulator

Nov 08
Tag:Privacy Tag:Standards

Opportunity on the open internet

Nov 03
Tag:Adtech Tag:Trends

Quebec privacy regulator releases final consent guidance

Nov 02
Tag:Privacy Tag:Standards

Mastering personalization in marketing with AI

Oct 31
Tag:ai Tag:Personalization
Council

Inflation trends this holiday season

Oct 27
Tag:Consumers Tag:Thought Leadership

Experts weigh in on recent developments in Canada’s privacy and AI landscape

Oct 26
Tag:ai Tag:Privacy

Major Sponsors

  • BMO-800x450
  • canada-post_2022
  • CIBC-800x450
  • Microsoft-2023

Featured Member