Why does my organization need to get ready?
The General Data Protection Regulation (GDPR) is a new data protection law that will apply across the European Union (EU) and impact organizations across the world as of May 25, 2018.
Organizations outside of the EU are required to comply with the GDPR if they process personal information of EU residents (e.g. if they offer goods or services to, collect, store or handle personal information of, or monitor the behaviour of EU residents). As such, almost any organization with an internet presence may be impacted.
The GDPR contains significant fines for non-compliance – up to €20 million or 4% of annual worldwide revenue. In addition, the GDPR includes statutory rights for individuals who have suffered damages to seek compensation from organizations, and for public interest organizations to bring class actions on behalf of such individuals. Damages are not strictly limited to financial loss, and may also be available for non-financial loss (e.g. distress, reputational damage).
What are the immediate steps my organization needs to take?
Organizations impacted by the GDPR need to at a minimum take the following steps before May 25, 2018:
- Review and update websites and other contact points where personal information from EU residents may be collected to ensure that appropriate consent is obtained.
- Review and, where appropriate, update contracts with third party service providers, including via development and implementation of privacy terms/a privacy supplement for contracts regarding products or services being offered in the EU or where there may be collection of, access to or storage of the personal information of EU residents. Additional requirements or terms may typically be added via an addendum to existing contracts.
- Review and update internal privacy policies and procedures to enable organizations to meet the GDPR requirements. In many cases this will include developing and implementing an internal privacy breach procedure. This latter step should also keep in mind that mandatory breach notification will be required in Canada as of November 1, 2018 for organizations whose privacy practices are governed by the federal government’s Personal Information Protection and Electronic Documents Act (otherwise known as PIPEDA).
- Review and update security safeguards used by the organization, including technical and organizational measures used to safeguard data, in order to ensure adequacy and facilitation of compliance.