(Originally posted on LinkedIn, May 15 2017)
I am looking forward to the next IAPP Canada Symposium, as I always do, and this time I am wondering if now Canadian companies are finally going to start doing something about the #GDPR. I spoke two years ago about the state of our laws; I spoke last year about what Canadian companies need to do with regard to complying with the GDPR.
The reason for the title is simple; we have been very comfortable with our ‘adequacy’ finding, but the transfer of data under our adequacy finding is not by itself adequate to deal with the requirements of GDPR. In contrast, there is work being frantically done in the US and the EU to address GDPR compliance. Until this point, the understanding that GDPR means something consequential for Canada, has not seemed to instigate more than conversations about possibly getting someone on board to take charge. But time is running out; as of May 15, 2017 there are only 263 working days, not including vacations, between now and May 25, 2018 when GDPR comes into effect.
If a Canadian company is doing business in Europe, then yes it can (with certain qualifications) bring personal data without need of model clause agreements or other mechanisms. However, that does not meet all the requirements of the GDPR. Canadian companies must if collecting information from EU residents act in all respects as a European company would – notably:
- The right to be forgotten – Canadian companies have to be able to act on a request by a European customer
- Record keeping requirements – you will need to have your Article 30 records of processing, just as any EU company would
- Data protection impact assessments – you will need processes to meet Article 35’s requirements when you trigger its requirements, and document your DPIAs
- Appointment of DPO where warranted – you may need to have someone appointed as a DPO, perhaps in individual countries, where your business is primarily processing personal data, and the expectations for this may rise depending on national derogations
- Onward transfers – Article 28 of the GDPR requires adequate protection for onward transfers from Canada elsewhere, as well as restrictions without the controller’s approval
- Representative office in Europe – if you don’t have a physical presence there, you will need to appoint a representative office
- Data breach reporting – new for a lot of Canadian organizations, you will need to report within 72 hours a data breach to your lead regulator (and of course, you know who that is, right?)
- Enforcement – fines of up to 4% of global revenue or EU20 million, whichever is greater
If you are a data processor – a service provider to an EU company – then you are not off the hook. The obligations will be passed on by contract to you in any event through data transfer agreements as your customer are obliged to do so – and you are also subject to the requirements of the GDPR directly, for pretty much the same things I have set out above. The fines will be 2% of global revenue or EU10 million, but note this doesn’t let your client (the processor) off the hook – you can both be found liable independently.
What can Canadian companies do? There are no silver bullets; this is going to require work. You need to update your #privacy program to address the requirements of the GDPR. Some Canadian companies, because they have been doing what they should under PIPEDA or provincial laws, will be in a good position with some additional activities and capabilities. For the rest, it is quickly going to become a question of what they can do in the time that remains, and it means prioritizing based upon risk.
In any event, if you don’t have a plan, now is the time to get moving on it.