GDPR: What European privacy regulations mean for Canadian businesses

By Kate Furber
Feb 8, 2018
Photo credit: Pe3check/Thinkstock

If your business has relationships with the European Union (EU), you’ll want to make sure you’re up to date on the EU’s privacy legislation, as one of the toughest privacy regulations in decades will come into full effect in Europe on May 25, 2018. Named the EU General Data Protection Regulation (GDPR), this new regulation is intended to harmonize data protection across EU member states, giving customers and employees  in the EU greater control over how their personal information is gathered, managed, and used.

The GDPR signals a significant change in the way businesses need to handle privacy. And with non-compliance penalties and fines of up to 4% of a company’s total worldwide annual revenue, as well as the looming prospect of consumer class action lawsuits, there are strong incentives for businesses to get compliance right from day one.

Does the GDPR apply in Canada?

The first thing to understand is that businesses do not need to have a physical presence within Europe to be subject to the GDPR. The GDPR affects businesses with activities in the EU, including:

  • Consumer-facing activities;
  • Employee activities; 
  • Marketing and advertising;
  • Geolocation, profiling, or tracking;
  • Mass communications;
  • Global business operations; and
  • Service provider relationships.

Accordingly, Canadian organizations need to move quickly to determine if these regulations will apply to their business.

The GDPR will apply if your business:

  1. Offers goods or services to individuals in the EU or monitors the behaviour of individuals in the EU (e.g., through cookies, IP addresses, closed-circuit television, etc.);
  2. Has a physical presence or a representative inside the EU and processes any personal data (EU or otherwise) inside the EU;
  3. Has service providers that are either established in the EU and process any data (EU or otherwise) inside the EU, or processes EU data outside of the EU; and/or
  4. Has supply chain members or business-to-business clients that require them to be GDPR-compliant.

What are some of the big changes under the GDPR?

For Canadian businesses, complying with the GDPR will require strong data management, notification, and documentation processes, as the GDPR represents a need to significantly raise the bar for personal privacy rights and requires companies to manage data more effectively.

Aspects of the GDPR that will have the biggest impact on businesses include the following:

  1. Mandatory maintenance of data inventory and record-keeping of all internal and third-party processing of personal data;
  2. Mandatory 72-hour notification to regulators and individuals in the event of a data breach, as well as documentation of breaches to provide to regulatory authorities upon request;
  3. Increased rights for individuals, including the rights to:
    • Request erasure of their data;
    • Request access to all data that a company has about them;
    • Have their data sent to another company in a “machine-readable format”; and
    • Object to the processing of their data, including for  automated decision-making.
  4. Data protection impact assessments that must be completed for technology and business changes along with the implementation of privacy by design; and
  5. Mandatory data protection officers and an overall redesign of privacy strategy, governance, and risk management.

What’s more, serious contraventions of the law could be punishable by fines of up to either 4% of group global annual worldwide turnover or 20 million euros (whichever amount is greater). In addition, citizens and special interest groups will have the right to engage in group litigation (class actions) to recover compensation for distress caused by contravention of the law.

What can Canadian businesses do now to prepare for the GDPR?

Some Canadian businesses could already have GDPR preparations well in hand. Canada has national privacy legislation, and some provinces have provincial privacy legislation as well. Canadian companies that adhere to this national and provincial legislation will already be compliant with a number of privacy laws. However, it’s important to note that the GDPR requirements are more onerous than the existing Canadian privacy legal regime.

Though preparing for the GDPR may seem overwhelming, following the steps below can help you take a practical and productive approach:

  1. Understand if and how the GDPR applies to you.
    Ask yourself the questions in the preceding section of this article (“Does the GDPR apply in Canada?”).
  2. Assess the actual risks to, and the potential impact on, your business.
    For example, how much and what type of EU data do you handle? What risks may attract the attention of the regulator? In reality, businesses, litigators, and regulators have to make hard choices about their priorities. The GDPR raises countless compliance issues, and it could be very easy to get mired in the regulation’s complexity. Businesses need to prioritize critical risk issues and key business objectives before addressing matters of lesser importance.
  3. Take a tactical approach.
    Identify areas where you can limit or eliminate the impact of the GDPR altogether. For example, you could anonymize any EU data you intend to use, stop tracking website visits on an EU webpage, and/or stop serving targeted advertising to individuals in the EU.
  4. Conduct a gap assessment.
    Understand your current practices for the data collection and processing activities that are subject to the GDPR and assess whether any gaps exist between GDPR requirements and your current privacy practices. 
  5. Remediate identified gaps.
    Determine what practices need to be put in place to close any gaps you’ve identified and develop a remediation plan that prioritizes the implementation of remediation activities. The plan may include:
    • Defining a clear strategic vision for GDPR readiness;
    • Establishing clear and documented accountability for GDPR compliance, along with written compliance plans;
    • Reviewing the context for lawful processing and third-party contracts;
    • Documenting processing activities and data flows to understand fully what data is located where, and what enhanced controls need to be put in place to meet the new usage requirements;
    • Developing or enhancing existing processes for privacy by design and privacy impact assessments;and
    • Developing or enhancing existing policies and processes to facilitate data deletion requests and breach disclosure within the required timeframes.

With less than half a year to go, Canadian executives should be armed with GDPR-readiness assessments and a detailed list of compliance gaps.

As many are quickly learning, however, compliance requires more than an ad hoc approach. A solid project governance and project plan is key to pivoting from the early assessment phase—determining current data practices, creating a data inventory, and assessing current capabilities—toward a management framework that delivers sustainable and demonstrable compliance.

Responsible use in an era of big data

When it comes to data about individuals, companies today have a dual responsibility: 1) to use that data to create more value for the company and its customers, and 2) to do so in the most privacy-centric, ethical, fair, and transparent way possible. While most companies know this, few have documented evidence to show that they’re taking the proper precautions. Proactive organizations are welcoming the GDPR as a platform that could help them realize the full strategic potential of their data.

As the opportunities to use data for growth and competitive advantage increase, so do the related risks. That’s why a sophisticated approach to data-use governance is no longer merely an option—it’s a prerequisite for success in today’s global digital economy.

Kate Furber, CPA, CA, leads PwC’s BC region technology, communications, retail and consumer practice. As an audit and risk assurance partner, Kate not only leads audit teams, but also assists companies with their risk assurance, controls, and corporate governance requirements.

Kate would like to thank David Craig, P.Eng., CRISC, ICD.D, partner, risk assurance, cybersecurity & privacy for PwC Canada, and Jordan Prokopy, CISSP, director, risk assurance, cybersecurity & privacy for PwC Canada, for their contributions to this article.