GDPR and Its Implications on Canadian Organizations

The new GDPR has become a major concern of Canadian organizations for three main reasons:

1. Scale of requirements;
2. Broader scope; and
3. Strict fines in case of noncompliance

This new regulation applies mainly to EU organizations but can also apply to Canadian organizations processing the data of EU citizens and residents. The fines for an organization that is found to be noncompliant can be up to 4% of its annual global turnover (revenues) or up to €20 Million (approx. Cdn $30M), whichever is greater.

GDPR’s Key Requirements

There are a number of key requirements that organization must fulfill to be GDPR complaint as follows:

1. Obtaining consent

The terms of consent in the GDPR must be clear. This means that organizations should avoid padding their terms and conditions with complex language designed to confuse their data subjects. Consent should be easily provided and withdrawn at any time.

2. Breach notification

If a security breach occurs, companies have 72 hours to report the data breach to both their data subjects and the relevant EU regional authority. Failure to report breaches within this timeframe will lead to significant fines.

3. Right to data access

If an individual (Customer/ Employee) requests his/her existing data profile, organizations must be able to provide a detailed electronic copy of the data that was collected. This report should also include the different ways in which the individual’s data is being utilized.

4. The right to be forgotten

In Canada, this requirement is known as ‘the right to data erasure’. Once the original purpose or use of the customer data has been realized, any individual has the right to request the entire deletion of his/her data.

5. Privacy by design

This section of GDPR requires organizations to design their systems with the proper security protocols in place from the start. Failure to design systems of data collection appropriately will result in a fine.

6. Potential data protection officers

In some cases, an organization may need to appoint a Data Protection Officer (DPO). The need depends upon the size of the organization, and how sensitive the data is that it controls/ processes.

Potential Penalties for Noncompliance with GDPR

As stated before, under GDPR, organizations can be fined up to 4% of their annual global revenue, or €20 Million, whichever is greater.

This maximum fine may be enforced in cases where organizations violate the Privacy by Design concepts or fail to have customer consent to process data. Other possible fines may be up to 2% of annual global revenue or €20 Million for lesser offences like failing to maintain sufficient records.

Readiness, Readiness and once more - Readiness

Even though some of the GDPR guidelines look similar to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), they are actually more differences than similarities. Statistics collected from EU countries show that the new data protection law is working well . Still, too many organizations have not yet started to review and implement the requirements outlined in GDPR. Some recent studies indicate that up to 20% of organizations have not yet taken the necessary steps to prepare for GDPR compliance.

Written by Nitsan Shachor, GDPR Specialist

The Litcom approach

Litcom developed a mature approach to GDPR Assessment based on our experienced team members. Our approach includes conducting a GDPR gap assessment or readiness assessment – reviewing the requirements outlined in the regulation and comparing current performance against target capabilities. Such an evaluation will:

• Make it clear to the executive team where the main risks lie within the GDPR new legislation.
• Reduce potential penalties for not starting GDPR preparation.

Please contact us for further information.