With Less Than 1 Year Before GDPR Takes Effect, Make Sure Your Organization is Ready

In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who feared frivolous million dollar lawsuits, compliance with CASL is still a reality for businesses. As we discussed on the Spotlight in April, the three federal agencies that enforce CASL still have the authority to impose administrative monetary penalties against businesses.

However, lost in all the CASL attention is the pending introduction of the European Union’s General Data Protection Regulation (GDPR). Just as businesses scrambled to become CASL compliant prior to July 1, 2017, there is no doubt that the same scramble will take place as businesses turn their attention to the GDPR.

If your organization offers goods or services to residents of the European Union over the Internet, or processes the personal data of any such European Union residents, your organizational will likely be required to comply with the GDPR, even if your organization has no physical presence in the EU.

The GDPR, which is expected to come into force on May 25, 2018, imposes a number of additional burdens on organizations, and the penalties for breaches are steep: up to 4% of annual worldwide turnover (revenue).

The new rules contained in the GDPR include:

  • requirements to obtain unambiguous consent;·obligations to report data breaches within prescribed time periods;
  • contractual and other obligations between a data collector and data processor;
  • special consent requirements for the collection of children’s data and special protections for children’s personal data (this can particularly impact social media, users of mobile apps and education industry); and·new terms required to be included in privacy policies (which must be written in clear and plain language).

As Paige Backman, Chief Privacy Officer at Aird & Berlis, noted in a recent article for Bloomberg Law, the GDPR has the potential to significantly alter business structures and processes for companies outside the European Union. This is catching many businesses by surprise.

The Canadian Parliament’s House of Commons Access to Information, Privacy, and Ethics Committee has been reviewing Canada’s PIPEDA to assess whether changes to PIPEDA are required, including whether PIPEDA needs amendments to accord with the GDPR. If PIPEDA is not deemed to offer sufficient protection to the GDPR, our business relationships in the EU and Canadian businesses’ abilities to process EU data may be compromised. Paige Backman provided testimony to the House of Common’s Privacy, and Ethics Committee on recommending changes to PIPEDA, including certain changes that would accord with the GDPR requirements.