The European Union’s (EU) General Data Protection Regulation (GDPR) came into force on May 25, 2018, and has implications for many Canadian organizations, particularly those controlling or processing personal information in the EU or of its EU data subjects (any person whose personal data is being collected, held or processed).
The GDPR places accountability on Controllers (organizations that determine the purposes and means of processing data) and Processors (organizations that process the personal data on behalf of controllers).
The new GDPR has become a major concern of Canadian organizations for three main reasons:
- Scale of requirements;
- Broader scope; and
- Strict fines in case of noncompliance
This new regulation applies mainly to EU organizations but can also apply to Canadian organizations processing the data of EU citizens and residents. The fines for an organization that is found to be noncompliant can be up to 4% of its annual global turnover (revenues) or up to €20 Million (approx. Cdn $30M), whichever is greater.
GDPR’s Key Requirements
There are a number of key requirements that organization must fulfill to be GDPR complaint as follows:
1. Obtaining consent
The terms of consent in the GDPR must be clear. This means that organizations should avoid padding their terms and conditions with complex language designed to confuse their data subjects. Consent should be easily provided and withdrawn at any time.
2. Breach notification
If a security breach occurs, companies have 72 hours to report the data breach to both their data subjects and the relevant EU regional authority. Failure to report breaches within this timeframe will lead to significant fines.
3. Right to data access
If an individual (Customer/ Employee) requests his/her existing data profile, organizations must be able to provide a detailed electronic copy of the data that was collected. This report should also include the different ways in which the individual’s data is being utilized.
4. The right to be forgotten
In Canada, this requirement is known as ‘the right to data erasure’. Once the original purpose or use of the customer data has been realized, any individual has the right to request the entire deletion of his/her data.
5. Privacy by design
This section of GDPR requires organizations to design their systems with the proper security protocols in place from the start. Failure to design systems of data collection appropriately will result in a fine.
6. Potential data protection officers
In some cases, an organization may need to appoint a Data Protection Officer (DPO). The need depends upon the size of the organization, and how sensitive the data is that it controls/ processes.
Potential Penalties for Noncompliance with GDPR
As stated before, under GDPR, organizations can be fined up to 4% of their annual global revenue, or €20 Million, whichever is greater.
This maximum fine may be enforced in cases where organizations violate the Privacy by Design concepts or fail to have customer consent to process data. Other possible fines may be up to 2% of annual global revenue or €20 Million for lesser offences like failing to maintain sufficient records.
Readiness, Readiness and once more - Readiness
Even though some of the GDPR guidelines look similar to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), they are actually more differences than similarities. Statistics collected from EU countries show that the new data protection law is working well . Still, too many organizations have not yet started to review and implement the requirements outlined in GDPR. Some recent studies indicate that up to 20% of organizations have not yet taken the necessary steps to prepare for GDPR compliance.
Written by Nitsan Shachor, GDPR Specialist
The Litcom approach
Litcom developed a mature approach to GDPR Assessment based on our experienced team members. Our approach includes conducting a GDPR gap assessment or readiness assessment – reviewing the requirements outlined in the regulation and comparing current performance against target capabilities. Such an evaluation will:
- Make it clear to the executive team where the main risks lie within the GDPR new legislation.
- Reduce potential penalties for not starting GDPR preparation.
Please contact us for further information.