A Guide to the GDPR in Canada

Posted by Kevin D'Arcy on Jan 26, 2018 2:08:38 PM
GDPR-and-Canada.pngFor quite some time, there’s been considerable panic about a piece of European legislation called the Global Data 
Protection Regulation (GDPR). The GDPR, set to go live in May 2018, outlines new measures that businesses must take in order to lawfully hold the data of EU citizens. In essence businesses need to ensure consent is obtained for all data held as well as implementing internal processes to guarantee that data is protected. 
The scope of the legislation is such that any global company which holds data on an EU citizen will be forced to comply or incur massive fines. This means that if your business holds EU citizen data, but is physically located in Canada, you’ll be forced to comply or face massive fines. 

All Canadian businesses, from startups, to SME’s and multinational organizations will have to take extra care to make sure they aren’t leaving themselves open to massive fines. But where does the GDPR start and end when it comes to Canadian businesses?
How Does the GDPR Apply to Canadian Businesses?
The GDPR applies to Canadian businesses in a number ways, but the most important thing to understand is that you don’t have to have a physical presence in the EU in order to be included under the regulation. Your business will be covered by the GDPR if you hold any data on an individual located in the EU. If you hold data on EU citizen, you’ll need to comply with all of the requirements or you’ll be hit with massive fines.

There are two tiers of fines that can be incurred for violating the GDPR. The first is a hefty fine of up to €10 million or 2% of your company’s global annual turnover, depending on which is higher. The second is a massive fine of up to €20 million or 4% of your company’s global annual turnover. This means the price of non-compliance can be extremely high.
Complying With the GDPR
In order to avoid being hit with extortionate fines, its important to understand the fundamental aims of the GDPR. The GDPR aims to make businesses more accountable and accessible to data subjects. It also aims to ensure that EU citizen data is adequately protected. Companies that hold data on EU citizens are separated into two classes: controllers and processors.

A controller is an organization or entity, which decides the means of how personal data is processed, and a processor is an entity that processes personal data for a controller. The definitions are vague to ensure that any business transferring data on EU citizens is covered. This is made more confusing by the face that Canadian privacy laws don’t accept this definition of controller’s and processors, but you’ll still need to comply to prevent a fine.
Free Whitepaper:   "Understanding GDPR Compliance"Controllers and Processors

The GDPR dictates that Controllers are the entities that hold primary responsibility for protecting the data of EU citizens. As such, the burden is on them to select a Processor who will comply with EU regulations. Controllers will need to conduct a Privacy Impact Assessment when processing private data, and must take extra steps to record all of their data processing activities.

A PIA will determine all the privacy risks faced by your data subjects. Likewise, Processors must implement safeguards to protect EU data, such as deleting data once they’ve finished processing it and notifying the controller if there is a data breach. Processors MUST NOT subcontract unless given expressed permission by the data controller.


 1. Consent of Data Subjects

In many ways, the GDPR has raised consent as one of the central parts of compliance. The regulation defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. 

This shifts the burden of data consent from silence, to affirmative expressed permission and parental permission for children under 16. Lack of objection to data records no longer constitutes consent. This gets a little more complicated when we consider the imbalance of power clause. 

In any data subject and controller relationship where there is perceived to be an imbalance in power (such as an employee-employer relationship) consent will not be considered to have been given freely. As such businesses will need to monitor what data is kept and be proactive in ensuring it is supported by expressed consent. 

2. The Right To Erasure
In addition to the importance of consent, the GDPR also outlines the right to erasure. Under the GDPR controllers are required to erase personal data on demand if the subject requests. In other words, a subject’s data must be destroyed if they withdrawn their consent. Likewise, the right to erasure also covers data that is no longer needed, or was obtained or processed unlawfully. In addition, businesses also need to communicate with any other controllers who might have had this data that consent has been revoked. 
3. Data Breach Notification
In the event of a data breach, a controller is required to notify any and all affected data subjects within 72 hours of detection. They will also be required to contact all relevant regulatory authorities. However, controllers will need to contact subjects immediately if there is any risk of damage to their rights and freedoms.

This broad definition makes it very important for Canadian businesses to be able to manage their data and secure its integrity, in order to be able to respond within 72-hours or immediately after data theft, loss or damage. Likewise, both controllers and processors will need to inform a data protection authority that there has been a breach, and provide a legitimate reason for any delay. 
4. Appointing Data Protection Officers
In order to oversee data protection, both controllers and processors need to designate a data protection officer. Organizations will need to appoint an officer if a public authority or body manages data processing or if day-to-day activities involve regular monitoring of individuals on a large scale and core activities consider large scale processing of data concerning racial origin or political views. 

The data protection officer is intended to remain independent of the data processing activities and will ensure that data management procedures are in place to ensure the protection and integrity of European subject data. They will also be expected to act as a point of contact for data subjects and the regulatory authorities. 
How Canadian Businesses can Ensure Compliance

Whilst the requirements set out in the GDPR are very stringent, it also bears a number of similarities to the Personal Information Protection and Electronic Documents Act. As a result, many businesses in compliance with PIPEDA will already have a number of well-defined data management practices and privacy policies in place. That being said, PIPEDA is not the GDPR. In order to comply you’ll need to run an overview of your current system to fill in the gaps.

The new additions brought about by the GDPR that depart from PIPEDA are the appointment of a data protection officer and the mandatory breach notification. The best place to start is by commissioning a full-scale compliance assessment of all current policies and practices in order to identify problems. Once you’ve identified these you can start to develop a new plan to tailor your processes to comply with the GDPR.

Even if you fall foul of the GDPR, an audit can help to prove that you took significant steps towards securing your subject data. This way if you receive a fine you might be eligible for a reduction. A track record of implementing privacy policies will differentiate your business from those who aren’t taking any steps towards compliance.

For more information about document compliance, be sure to visit our compliance and risk mitigation overview here

Free Whitepaper: Understanding GDPR Compliance

You May Also Enjoy Reading:

Posts by Topic

see all

Follow Me