Welcome to our Motion – Discussing what matters video series, where our experienced lawyers provide timely analysis on hot issues relevant to Canadians.
This latest episode focuses on the European Union’s far-reaching General Data Protection Regulation (GDPR), which took effect in May.
The Canadian chair of our technology and outsourcing practice team, partner Robert Percival, explains what your company needs to consider if it is impacted by the legislation, but not yet compliant.
And he discusses upcoming changes to Canadian data privacy regulations.
Subscribe to our Motion - Discussing what matters video series today!
Does my business need to worry about the GDPR?
The short answer is yes. Canadian organizations do need to be concerned about the possible application of the GDPR, which is short for the General Data Protection Regulation, and which was implemented in May of 2018. The GDPR generally applies to EU organisations which are collecting or processing personal information but it also has a significant extraterritorial application and can apply to organizations outside of the EU including Canadian organizations. As a consequence, Canadian organizations really need to determine whether or not the GDPR applies to their operations and if it does whether its existing data protection practices and procedures comply with the requirements of the GDPR. Any non-compliance will require the adoption and implementation of more stringent procedures and practices in order to meet the more stringent requirements of the GDPR. Finally it’s important to note that non-compliance with the GDPR requirements bears significant potential penalties of up to 30 million dollars. So it’s important for Canadian businesses that may themselves be subject to the GDPR to ensure that they are in fact compliant.
How do new Canadian mandatory breach notification requirements compare to the GDPR?
The federal Government recently amended the Personal Information Protection and Electronic Documents Act, also known as PIPEDA, to provide for mandatory breach notification to both individuals and to the federal privacy commissioner in the event of a data breach involving personal information that has a risk of significant harm to the affected individuals. These amendments also required organizations to create and maintain a registry of data breaches involving personal information. In implementing these amendments, the Government sought to harmonize Canadian data protection legislation with new requirements imposed by the General Data Protection Regulation adopted by the EU in May of 2018. Under the GDPR, organisations are similarly required to report both to the applicable regulatory authorities, but also to individuals, the occurrence of a data breach where risk of significant harm occurs. As a consequence, Canadian organisations that are either subject to PIPEDA or, and or the GDPR, should immediately implement and adopt a compliance strategy that addresses both the new mandatory breach reporting obligations as well as their obligations to create and maintain a data breach.
How should Canadian businesses approach recent changes in Canadian and European privacy laws?
I think Canadian organizations should really look to the GDPR for inspiration when considering updating current practices and policies relating to data protection. While notable differences remain under obligations existing under Canadian law versus obligations under the GDPR, I think that Delta will continue to close over time particularly as Canada seeks to continue to maintain its adequacy standing under the GDPR in order to ensure the continued flow of information between the EU and Canada. As a consequence, I think for most Canadian organizations a sound business strategy will be to adopt practices and policies concerning data protection that are much more in line with the existing requirements under the GDPR as opposed to lesser standards that are enforced under existing Canadian privacy laws.