On May 25, the General Data Protection Regulation ("GDPR") will take effect in the European Union. These regulations will substantially modify the rules surrounding the protection of "personal data", which is defined as "any information relating to an identified or identifiable natural person". But most importantly, in addition to targeting companies across the Atlantic, the GDPR can also have a direct impact on Canadian employers processing their employees' personal data. It is therefore essential for any employer to clearly understand this new regulation. The purpose of this text is to summarize the GDPR and then identify some of the requirements that may pertain to Canadian employers.
What is it? A regulation Applying to the Entire European Union
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data differs from the former Directive 95/46/EC in that it is directly applicable throughout the European Union without the need to alter it in the different Member States. In other words, the same text will apply throughout the European Union with, a few variations depending on the area of application and the Member State concerned. The purpose of the GDPR is:
- to strengthen the privacy rights of natural persons,
- to hold accountable all stakeholders involved in the handling of personal data (both controllers and processors), and
- to harmonize practices within the European Union in this area while promoting cooperation between supervisory authorities.
Where does it apply? Potentially in Canada
Some might say, "So what? As a Canadian organization, this doesn't concern me." However, it does. Indeed, the GDPR applies if you have an "establishment" - a fairly broad concept - within the European Union, or even where your processing activities are related to the offering of goods/services to data subjects in the EU, or to the monitoring of their behaviour. In short, the GDPR can be extraterritorial in scope, making this new regulation "everyone's business".
When? May 25, 2018
The time for the GDPR is now. The effective date was May 24, 2016, and the GDPR will be enforceable as of May 25, 2018. Practically speaking, as of that date, a non-compliant organization could be subject to sanctions, including fines, by the competent supervisory authority. However, if you are a late-adopter, does this date really mean the end of the world? Somewhat, if you have not done anything - that is, if you have not built a clear and phased strategy to comply with the GDPR requirements. With respect to this, the French Commission Nationale de l'Informatique et Libertés (CNIL) indicated that May 25, 2018 is not a "cut-off date", but that it is, above all, a step towards the final goal.
How much is it? Up to 20 Million Euros or 4% of the Total Worldwide Annual Turnover of the Preceding Financial Year
Sanctions can be costly, especially since the exchange rate between the Canadian dollar and the euro leaves Canadian organizations at a disadvantage. In short, the administrative fines, may range between 10 to 20 million euros, depending on the category of the offense, or in the case of a business, from 2% up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is highest. Sanctions will be individualized and proportionate, depending, for example, on the organization's efforts to comply with the GDPR. However, the numbers should still be worrisome. It should be noted that the sanctions imposed by Canadian privacy commissioners appear to be little compared to those defined in the GDPR.
What to do? Act Rather Than React
If you are a Canadian employer and you believe that the GDPR applies to your business, you must develop a compliance plan right away. This plan, tailored in each case, is essentially intended to list all the steps required to achieve compliance with the GDPR's requirements. Here are some examples of things to consider:
- revise all employment contracts to specify the legal basis and purposes for processing personal data;
- review internal privacy policies, namely to clarify the rights of employees with regard to personal data (access, rectification, but also right to erasure, right to data portability, etc.);
- re-evaluate the retention period for employees' personal data;
- appoint a Data Protection Officer (DPO);
- create a personal data processing registry, with an employee-specific section;
- verify the organizational and technical measures put in place by all service providers with access to employees' personal data;
- assess the need to do Data Protection Impact Assessments (DPIAs); or
- put in place procedures in the event of data breaches.
In short, by pressing ahead with such a compliance plan, it is the best way to eat the elephant one bite at a time without risking indigestion.