The world’s toughest data protection regime – the European Union’s General Data Protection Regulation (GDPR) comes into effect today, and with it the possibility of huge financial penalties for non-compliance.
Privacy experts here believe many large Canadian-based enterprises who regularly do business in Europe are prepared, while a large number are close. But many small and medium-sized businesses are way behind.
So here’s two pieces of advice on what to do on this Day 1 from those who know: Don’t panic, and get on with it.
“Let’s not freak out,” Lauren Reid, who runs her own consultancy called The Privacy Pro, told the annual Canadian convention of the International Association of Privacy Professionals (IAPP) in Toronto on Thursday.
She acknowledged there are differences between GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). But, she added, they try to achieve the same things.
Reid applied a little sense of humour: “As we move past the confusion, sometimes anger, overwhelmed feeling that it applies here [to your organization] and get beyond the five stages of grief, we get to the acceptance phase and thinking, ‘What are we going to do?’, it’s important to keep in mind {GDPR] builds on existing legislation in Europe.”
In fact, she added, it’s built on same principles of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which includes giving people notice personal data is going to be collected, choice of saying no, transparency on what is being collected and detail on what the data will be used for — in other words, privacy and data protection.
A friend, Reid said, says no one should get worked up over GDPR any more than they should over an approaching wedding day: You should really be focused on your marriage – it’s a long-term commitment, it requires flexibility, communication. “That’s the relationship with GDPR.”
And while there is a lot of good, free guidance, particularly from regulators, she said “there is a lot of fear-mongering going on … “If what you’re reading says you should be nervous about something, you should be questioning what they’re selling.”
Rules for proving proper consent for collecting data was obtained may be different under PIPEDA and GDPR, but Reid noted firms here have the experience and tools under the Canadian Anti-Spam Law (CASL), so should be ready for more stringent rules.
Under GDPR data breaches have to be reported within 72 hours of discovery, while the upcoming Canadian breach notification rule (which takes effect Nov. 1) is more relaxed. However, Reid said, “the differences shouldn’t be overwhelming.”
“For many organizations, GDPR doesn’t apply,” Reid added, although it may end up affecting them as PIPEDA and provincial privacy laws are expected to be amended to come close to GDPR. If Canadian laws aren’t found adequate by EU regulators then companies won’t be able to transfer personal data back and forth.
Misconceptions
In fact, Reid said, the number one misconceptions is that Canadian laws are already adequate so GDPR doesn’t apply. Not true. Canadian laws were adequate on data transfers with the old EU privacy laws. Another misconception is GDPR introduces new security requirements that have to be met. It only demands “appropriate technical and organizational measures” to protect personal data.
How soon the EU will decide adequacy isn’t clear. Canadian privacy commissioner Daniel Therrien says Canada’s adequacy will be decided by 2020. However, Constantine Karbaliotis, leader of managed privacy services at PwC Canada and a member of the GDPR panel on which Reid was speaking, said one European told him it could be decided by the end of this year.
We don’t want to get European regulators riled up against Canadian companies, he said. When transferring data with personal information to a third party in an EU country use a model contract.
Panel member Jennifer Stoddard, former federal privacy commissioner and now regulatory advisor to Nymity, a Toronto privacy management software firm, warned that after the Edward Snowden revelations about U.S. online surveillance capabilities Europeans no longer look at Canada as a privacy-friendly country. That’s because we are partners with the Americans, the British, the Australians and New Zealand in the Five Eyes intelligence-sharing co-operative.
Show you’re working on it
In a separate panel on GDPR, a German and two Canadian experts went over the similarities and differences between PIPEDA and the new EU regulation.
Echoing what others have said, Berlin technology and media lawyer Fabian Selp noted many EU countries still haven’t passed GDPR enabling legislation No organization is 100 per cent complaint at this stage, he said, and won’t start handing out fines immediately.
However, he added, affected companies must show they are on track to being compliant. That means having evidence of a plan (documentation, a budget), doing a data inventory and appointing a data privacy officer, assessing risks.
In an interview panel member and Toronto privacy lawyer David Young said companies here that comply with PIPEDA are “more than half way” to GDPR compliance. “There are some differences, but in some places it’s almost the same rule, and if you can spec out something in your privacy policy and your internal procedure and you’re there.
“Other places, like consent, you’ll need to some major rethinking of how you obtain consent, what nature of consent. That’s probably the biggest hurdle. Accountability is very close, but if you get into the record-keeping requirements, they’re much more prospective – more specific — than PIPEDA.”
He believes a “significant proportion of large sophisticated multinationals” based here are very close to good compliance. SMBs, though, are still trying to figure out if they’re affected.
His advice for them: “Get a plan in place – you could start writing it today – and if somebody comes knocking you’ve got it. It might take a month… and do a high-level inventory of what you have. That will tell you what data is European, and that’s a big element of record-keeping.”
While Europe told the world two years ago GDPR was coming, a number of Canadian firms apparently just woke up. “I’ve had dozens of calls in the last week, ‘Can you help me with this GDPR thing?”’Karbalioti said.
Young said for him “this week has been the biggest number,” of companies calling, wondering what they have to do.“It’s not the end of the world tomorrow,” he said, “but get on with it.”
