Data security became top priority for many businesses around the globe earlier this summer with the European Union’s General Data Protection Regulation (GDPR) coming into effect. Focused on data collection, storage and third-party sharing of information, GDPR applies to any company around the world that collects customer data from citizens of European countries or trades with European companies or whose country has adopted the EU’s GDPR. With fines for violations of the GDPR up to 20 million euros or 4% of total global turnover (whichever is higher), company management must familiarise themselves and their staff with these regulations and prepare their corporate environments for immediate compliance. According to Intersoft Consulting, some key points of GDPR include:
• Personal data being processed must be legal, and the subject of the data must consent to the processing. The data collected must be protected via encryption and other security measures.
• A Data Protection Officer must be appointed to ensure that the company is complying with the regulations.
• Individuals whose personal data is being collected have a right to be informed about why their data is being collected and what it will be used for. Any personal data which is no longer required for its original purpose, or if the subject of the data has withdrawn their consent, must be deleted.
• International transfer of data is only permitted if the data’s destination is an EU-vetted country with national privacy laws that are comparable to GDPR.
In Canada, we have the Federal Personal Information Protection and Electronic Documents Act (PIPEDA). Provinces such as British Columbia, Alberta, and Quebec have their own refined Privacy Acts that build upon the federal policy. According to Osler, Hoskin, and Harcourt LLP, key points of PIPEDA include:
• Personal information is that which “is collected, used and disclosed by organisations in the course of a commercial activity which takes place.” It excludes information collected regarding employees.
• Upon request, organizations must inform individuals of the “existence, use and disclosure of his or her personal information, and must give them access to that information, including a listing of the third-party organisations with whom the information has been shared.”
• PIPEDA, PIPA Alberta, and PIPA BC also require the appointment of a Data Protection Officer, “an individual who is accountable for ensuring compliance with the organisation’s data protection obligations and who may, in turn, delegate some of his or her responsibilities to others.”
• Violations of PIPEDA will be investigated by Federal Privacy Commissioner based on a complaint made by an individual “on reasonable grounds to believe that a matter warrants it.” The Commissioner has “the power to summon witnesses to give oral or written evidence, inspect documents and/or compel the production thereof, and inspect premises other than a dwelling house.”
• If an organization transfers data to a third party for processing, they “must ensure a comparable level of protection through contractual or other means.”
BBC News (2018). GDPR: The great data privacy panic. Dated 25th May 2018 by Rory Cellan-Jones
Intersoft Consulting (2018). General Data Protection Regulation (GDPR)
Osler (2018). Data protection in Canada: The International Comparative Legal Guide 2017 by Adam Kardash and Brandon Kerstens dated May 18, 2017