With two days left to go before the European Union’s General Data Protection Regulation comes into force some Canadian organizations are still scrambling to be ready.
“All sorts [of firms] including large Canadian companies with EU business and smaller companies including those that do business directly it through distributors In the European Union,” have been calling the McCarthy Tetrault law firm for advice or help recently, said senior partner and privacy law expert Barry Sookman.
However, in some cases it’s not because they didn’t realize they have to meet the GDPR’s obligations for companies collecting personal data of EU residents. Instead, their European partners realized late that companies in their supply chain are affected.
Calls for help to the Toronto-based Miller Thomson law firm began increasing four months ago, said Imran Ahmad, who leads the firm’s the cyber security and data breach practice. “And in the past month it’s been like gangbusters, not that they believe they need to be fully GDPR-compliant, but because their business partners are asking them to enter into what we call data protection agreements as a condition to do business.”
“We’ve got 20 active files on this over the past two weeks or so.”
A little background: Under the GDPR, companies with personal information on EU residents are either data controllers (typically firms who initially collect data) or data processors (typically third parties, including cloud providers, who the data controller shares personal information with). Sections 28 to of the regulation specifies a controller shall use only processors providing sufficient written guarantees that data is adequately protected – hence the data protection/processing agreement. Data controllers have to audit the existing contracts of processors to see if the agreements already comply with GDPR.
Among other things, the law says data processor must report data breaches to the data controller without delay and keep records of all processing activities. (The full text of the GDPR is available here)
Data processing agreements aren’t tough to do. Ahmad said the International Association of Privacy Professionals has put out a template, which he called “relatively straightforward.” The Canadian organizations that are having trouble are ones that haven’t until now had to document their data handling and security processes. “It’s a change of culture, it’s a change of the way they do business. And sometimes it’s not easy to do, especially if you have tons of data that is transiting through your organization,”
There are other problems. Under GDPR organizations that collect personal data (including a user’s IP address) must have explicit consent of the person. But, Ahmad said, a Canadian software developer that got customer consent several years ago under the more relaxed Canadian privacy laws may not meet that standard. To comply with GDPR many companies are now emailing users with updated data collection consent forms. But, Ahmad says, what happens if the user refuses to give consent? What happens to all of the personal data the company has collected so far? On option may be it has to be deleted. However, that may affect the quality of the data the company uses to judge the quality of the application.
‘Our game would crash’
Similarly, some applications, including games, need to install cookies in browsers. Under GDPR, that can be refused by a user. For some Canadian-made online games, Ahmad said, that can affect performance, which in turn affects the game’s reputation.
“I had one client who said, ‘Our game would entirely crash without getting cookies and consent to collect personal data.’ In that client’s case they’re trying to completely rebuild with a non-client version.”
He sees similarities in GDPR with the passing of Canada’s Anti Spam Law (CASL). When it came it businesses saw it as onerous, but expensive if fined for non-compliance.
“A lot of the clients in Canada who are debating whether GDPR even applies to them, because of a business relationship are saying, ‘It’s worth the time and effort right now because we want to keep access to a market, or make sure our clients in Europe are happy.’”
Canadian companies not ready for GDPR on Friday won’t be alone. According to a survey of 1,000 U.S. and European firms released in April by the Ponemon Institute and sponsored by a law firm, only 10 per cent of respondents said they will be ready before the deadline, with another 42 per cent saying they will be ready May 25. Forty-per cent said they would be ready after May 25, while eight per cent said they didn’t know.
Fortunately, several EU countries haven’t yet passed the necessary laws to come into compliance with GDPR, and regulators have said they won’t immediately strictly enforce it.
GDPR mandates that personal data of EU residents has to be collected for specified, explicit and legitimate purposes. Any further processing can only be done with consent of the data owner. This data has to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Data owners have the right to take their data from one company and give it to another. They also have the right to have personal data held by a company erased. For more see this resource page from the U.K. Information Commissioner’s Office.
With this week’s deadline security vendors are pushing out advice and guidelines. Addigy, a provider of cloud-based Apple MacOS/iOS management software, issued this white paper on achieving MacOS/iOS device compliance. IBM is offering a webinar on Thursday. Rapid 7 has a portal with several resources. Check Point Software has resources here. Comvault has a webinar on Friday on the benefits of GDPR.
IBM recently surveyed over 1,500 business leaders responsible for GDPR compliance for organizations around the world.
– 84 per cent believed that proof of GDPR compliance will be seen as a positive differentiator to the public;
–76 per cent said that GDPR will enable more trusted relationships with data subjects that will create new business opportunities;
–Only 36 per cent believe they will be fully compliant with GDPR by the May 25 deadline.