Now is the Time for Canadian Businesses To Become GDPR-Compliant
The European Union’s (EU) General Data Protection Regulation (GDPR) is now in effect. If businesses haven’t already taken the necessary steps to comply with the rules, they could be in big trouble.
In fact, most Canadian companies aren’t aware how the GDPR impacts them, and what they need to do to prepare. A 2017 survey from DocsCorp found that 73% of Canadian and US companies had not begun preparing for the GDPR, and 54% did not even know the deadline for compliance.
The GDPR rules are wide-ranging — they encompass all businesses working with EU data and include strict mechanisms that implement tighter rules for companies when it comes to the handling of that data. The rules apply to companies in all countries, including Canada, that have access to EU personal information. This includes European customers or clients, or those that process European data on behalf of their clients. In fact, they need to think about data shared with all the stakeholders they collaborate with.
The fines for violating the GDPR are immense, and there’s no way to opt-out. Businesses must comply or be subjected to heavy fines of up to €20 million, or 4% of their global gross revenue – whichever figure is the greater.
It’s important that business leaders are taking action now, in order to avoid the crippling penalties. Here are the keys to understanding the GDPR compliance’s rules, and how Canadian companies can prepare themselves accordingly.
Under Article 5 of the GDPR, its necessary to be fully transparent of the data under your possession, and forcing businesses to be aware of the information they’re storing and collecting in case that data is requested by a GDPR regulator. This also includes records for consent of collection, and the installation of proactive privacy practices that are transparent to customers.
Too often, company data is stored in multiple locations. This is mostly due to organic growth: over the years, several data centers, databases, applications, operating systems, hardware platforms, desktop and mobile systems have grown and been integrated together. This means, however, that many companies do not even know exactly where personal data is being held.
Compliance with the GDPR requires mapping out the data you control, understanding where it sits, where it is flowing and who has access—both inside and outside of Canadian borders. Businesses also need to reorient how they develop data capture application forms so that they’re clear, straightforward and that customers are aware of what they’re signing up for.
The GDPR enforces strict new usage controls over data that companies possess. These include principles such as “data minimization,” “data portability,” and the infamous “right to be forgotten.” This last principle, detailed in Article 17, provides data subjects with a new right to request access to and deletion of their personal data. In order to get a handle of all these principles, companies must establish internal strategies and take the necessary steps to ensure data protection by design and by default.
For many businesses it will also require the implementation of new data management processes. For the collection of new data, as well as the organization of older data within their systems, they need to be prepared to have full visibility of customer information. That way, if a regulator were to request access to the organization’s data, they’ll be fully prepared to comply.
Mandatory breach notification
Companies will be required to report on any data breaches within 72 hours to both GDPR regulators and to those directly affected by the breach. Failure to report properly and fully within 72 hours could result in penalties of up to four per cent of global annual revenue. Data breaches under the GDPR includes any breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The termly broadly encompasses any unauthorized use or access of personal data.
In the case of a breach, in order to comply with the 72-hour rule it’s imperative for companies to be able to document breaches as thoroughly as possible and have a plan in place to provide all the necessary details to GDPR regulators, including the categories and approximate number of individuals and data records concerned, and the potential consequences of that breach.
Hiring a data point-person
It may also be of value to hire a data controller that oversees how data is being managed by the organization, what future changes to the GDPR legislation may impact the personal data under their control, and what kind of notifications the company needs to deliver to their customers. This position ultimately becomes the point person in the case of a query from the regulator, with the insight to demonstrate that the organization hasn’t violated the GDPR.
The requirements for GDPR compliance are immense. Canadian companies need to take action now, if they haven’t done so already. Staying informed of GDPR regulations, and have the content management software in place in order to comply with the rules will be key to avoiding any break of the law.
Ian Phillpot is Vice President at Box Canada