GDPR is Coming – Time to Prepare!

Home » Blog » GDPR is Coming – Time to Prepare!

Much of the interesting news this year, especially if you discount the never ending circus that is the US election, concerned the UK decision to leave the European Union. Commonly referred to as Brexit, this vote on June 23rd was won by 52% to 48% for the leave the EU side. The fallout has been a drop in value of the British pound sterling to almost a fifth of its value against the US dollar, and the renewing of calls for another Scottish referendum on leaving Great Britain. Here in North America it is tempting to think that apart from international market influences, what happens in the EU has little impact over the pond. However, we are all living in an interconnected global data biosphere, and a regulation signed in the EU in May of 2016 will have an impact here.
The GDPR (General Data Protection Regulation) was published on May 4, 2016 and comes into effect after a 2 year transition period on May 25th 2018. The GDPR is intended to standardize the patchwork quilt of EU member state policies around data privacy laws as a result of the Data Protection Directive (“the Directive”) that was adopted in the EU in 1995 but was not legally binding on companies and individuals. The penalties for non-compliance are pretty stiff, up to €20m or 4% of worldwide revenue whichever is highest! Apart from the scary fines, you might be wondering why Canadian or US based business should be concerned about an EU regulation. Why should the UK, who is leaving the EU, be concerned?
It was best stated by Information Commissioner’s Office (ICO) which is a UK based independent authority set up to uphold information rights in the public interest “..once implemented in the EU, the GDPR will be relevant for many organizations in the UK…With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial…” Again, the globally interconnected data biosphere comes into play. Under the Directive, the impact was pretty much limited to companies with an operation in the EU, but the GDPR is more wide reaching. The GDPR applies not only to companies with an EU operation, but also to companies that engage in data processing activities that relate to offering goods or services to EU residents or monitoring the behaviour of EU residents which may include tracking internet activity for behavioural advertising purposes. Think of your website that offers anything for purchase and drops a cookie to track interest.
Some of the most important regulation fine points include the approach to consent:
1) “Opting Out” of consent does not appear to be permitted. So those EMAIL blasts that offer the ability to opt-out or unsubscribe may not be following policy.
2) Any child under 16 requires parental consent.
3) Explicit consent is required for sensitive data and there must be an option to withdraw or refuse consent.
In some circumstances, companies may need to hire or appoint a Data Protection Officer. These circumstances include situations where in the exact words of the regulation:
i) Processing is carried out by a public authority,
ii) The core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or
iii) The core activities consist of processing on a large scale of special categories of data.
Do your business a favour and Google GDPR and start to consider the potential impact on your data privacy rules and procedures. If your company already complies with PIPEDA (Personal Information Protection and Electronic Documents Act), you may already be most of the way there, as many of the requirements and restrictions in GDPR are similar to what is in PIPEDA.
There is an excellent article on what GPDR means to Canadian business at this link:–Key-Points-for-Canadian-Businesses. Start preparing now for May 2018.

Please follow and like us:
Posted on