The General Data Protection Regulation (GDPR) is all about protecting personal data – and it’s not just changing the landscape of data protection law, but the way that companies collect and manage personal data across the globe.
Understanding the GDPR
The internet has changed the way we communicate and handle information. We send emails, we share documents, we pay bills and share personal details online without a second thought.
But, have you ever stopped to wonder how much personal data you have shared online?
In an effort to control the inflow and outflow of ‘personal data’ harnessed by companies, the European Union has enforced a set of regulations under the EU General Data Protection Regulations (GDPR) to harmonized data protection laws across nations that fall under the European Union. Effective May 25, 2018, what is unforeseen for countries like Canada or United States is that the GDPR will also affect the way they may use, store, and share data.
For broad territorial scope, the GDPR applies to any organization that:
- Has an establishment in the EU
- Is established outside the EU, but target individuals in the EU by offering goods or services or monitoring the behaviour of individuals in the EU
- Organizations of all sizes (public and private)
- Data controllers and Data Processors
The GDPR also instills enhanced rights for “data subjects”, some of which differs from Canada’s PIPEDA:
- The right to readily-available information in plain language about how personal data is used.
- Access to personal data, including information as to the source of its collection.
- Right to an erasure of all data where it is no longer needed for the purpose for which it was collected (respond to the request in 30 days)
- Right to data portability – provide the individual with collected data in a format that makes it easy for the individual to move it to another data controller.
*Although defined broadly, personal data is any information relating to an identified or identifiable natural person (e.g. IP address) and includes “pseudonymous” data like mobile device IDs.
GDPR ≠ PIPEDA (Differences from Canada’s PIPEDA)
From a Canadian perspective, there are five operational differences between Canada’s PIPEDA and EU’s GDPR in processing data. To avoid duplication of effort, we’ll compare the differences to help narrow down your efforts.
Consent is a central feature of PIPEDA where under section 6.1, organizations are expected to seek express or implied ‘consent’ before using personal information. Under the GDPR, ‘consent’ is also a valid basis for the collection, use, and disclosure of personal information (Article 6) – however, it is much more flexible in that performance of a contract or legitimate interests are also grounds for collection.
Although there is no concept of ‘implied consent’, consent must be given by i) an affirmative act by the individual, ii) cannot be bundled into a contract and must be given separately iii) must be freely given without clear imbalance of power.
Under the GDPR, Article 20 grants the right for “data portability” where individuals have the right to receive their personal data in a structured, commonly used and machine-readable format and send to another data controller if they choose. With this, individuals now have unprecedented control over their personal information – something currently not allowed with PIPEDA.
Right to be forgotten
Under Article 17 of the GDPR, individuals are able to request for organizations to “erase” personal information if information is no longer necessary for the purposes it was originally collected or processed for. PIPEDA has a similar legal obligation under principle 4.5, however, GDPR goes one step further in requiring organizations to inform other organizations if the publicized data is retracted by the individual under an erasure request. For example, if a data collector has made the data public (social media site), the controller has the obligation to take reasonable steps to inform other data controllers who have received the information of the withdrawal of consent.
The GDPR unlike PIPEDA contains strict data breach provisions in Article 33 and 34 that over-extend PIPEDA’s three main obligations:
- The organization must keep records of any breach of security safeguards and must be produced to the Privacy Commissioner if requested.
- If the breach creates a real risk of significant harm to an individual, the organization must report the breach to the Privacy Commissioner of Canada as soon as feasible.
- The organization must also notify the individual if reasonable to believe the breach creates a real risk of significant harm to the individual.
The key differences of GDPR from PIPEDA are:
- Data breaches must be reported to the supervisory authority without undue delay, no later than 72 hours after the organization becomes aware of it.
- If the breach is not a high risk to the rights and freedoms of the individuals, the organization does not need to communicate the breach to the individual. (i.e. the breach only needs to be communicated to the supervisory authority)
- The GDPR has a broader definition of breach where a “personal data breach” is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This suggests that technical failures resulting in the destruction or alteration of data without any human intervention could be reportable – something that would not appear to be reportable in Canada.
Similar to the “privacy by design” principles recognized in Canada, the GDPR contains additional restrictions on the collection and retention of personal data, including:
- Stricter data protection policies and procedures.
- Enhanced record keeping obligations.
- Requirements for data protection impact assessment for high-risk activities.
- Requirements for stronger security measures matching the risk of the data breaches and potential harm to individuals.
It’s important to note that Canada already does a great job enforcing strong privacy laws to protect its citizens from any breach of personal information. However, in maintaining compliance with EU’s GDPR, it’s critical for organizations that have any breadth of influence or connection with EU citizens to ramp-up and adjust their compliance strategies before May 25th, 2018.
Developing a compliance journey is well worth the effort to avoid potential fines of up to 2 percent or 4 percent of annual worldwide turnover.
To learn more about the Microsoft Technologies that are committed to GDPR term, reach out to a Softlanding account representative today at firstname.lastname@example.org.