The General Data Protection Regulation (“GDPR”), in force since May 25, 2018, concerns the protection of personal data of individuals within the European Union (“EU“).
Canadian companies are subject to the GDPR if they have a business in the EU or if they deal with the personal data belonging to European residents in the context of offering them goods and services or monitoring their behavior.
Such companies have, in particular, the following obligations:
- they must consider the requirements relating to data protection from the moment products and services use personal data, and have a secure information system in place;
- they must be able to demonstrate that the individual concerned has given clear, free, informed and specific consent;
- in some cases, they must designate a data protection officer;
- all activities that may have significant consequences on the protection of personal data must be preceded by a privacy impact study that must also provide measures to reduce the possible consequences resulting from potential damage to the protection of personal data;
- they are required to notify the national protection authority concerned, as soon as possible, in case of a serious data violation.
To comply with the GDPR, and thereby avoid financial sanctions in amounts representing up to 4% of the company’s annual global revenue or 20 million euro (the highest amount being withheld), it is recommended that companies:
- develop codes of conduct and internal privacy policies;
- revise their employment contracts;
- appoint a representative for the protection of personal data within the EU;
- keep a detailed record of the processing of personal data;
- identify the personal data processing that could possibly present high risks to the rights and freedoms of the individuals concerned, and to conduct, for each of these processes, a data protection impact assessment;
- implement procedures in case of security incidents.
Canadian companies that are not currently subject to the regulation, however, they will be contractually bound to comply with the GDPR if their clients are subject to it. It is also very likely that Canadian laws will evolve in that direction.
By Mélanie Masson