GDPR Compliance In Canada

The General Data Protection Regulation (GDPR) in Canada and the USA seems to haunt most companies, especially those having their businesses online. GDPR Compliance which is Europe’s most comprehensive Data Privacy law is said to impact businesses across the globe. This has raised huge concerns over the requirements, especially for non-European businesses. Since the law is not limited by the physical boundaries of the European Union or the European Economic Area, it greatly influences companies based in the USA, as well as in Canada and other parts of the world. Today’s article focuses on the impact of GDPR Compliance in Canada and how businesses are affected by the law.  But, before we learn about the impact let us first understand the GDPR Compliance in the EU.

What is GDPR?

The General Data Protection Regulation is an EU law on data protection and privacy in the European Union and the European Economic Area. It is a law that protects the individual rights of the citizens of the EU on the processing, collection, and transfer of their personal data.

Who does the GDPR Apply To?

Any organization, irrespective of their location, that collect, use, processes, or transfer data of EU citizens for business or on behalf of their business clients need to adhere to the regulation. If they fail to comply with the set regulations, they would be fined accordingly. Currently, online businesses with websites that are not GDPR compliant are not accessible to the EU member states.

What does it mean to Canadian business?

Most businesses and organizations that frequently engage with EU companies or citizens are expected to be GDPR Compliance.  Having said that, this law has been a major concern to many businesses in Canada. So, for online Canadian businesses having a website that offer goods or services in euros or which provides deliveries to European citizens, will require compliance with the GDPR. This is in particular extremely important for Canadian organizations since many Canadian Privacy laws are very similar to the GDPR. So, it may probably be easy for companies or individuals to consider them being compliant while they are probably not. 

What types of Canadian business does GDPR Affect?

  • Canadian businesses that have their office and employees in the EU.
  • Businesses that offer goods and services (through websites, mobile apps, etc.) to individuals in the EU.
  • Business websites and mobile apps that use cookies to collect IP addresses and other personal data from individuals who are in the EU. 
  • Businesses that collect and/or process personal data of individuals in the EU for their own business or on behalf of their business clients. 

GDPR Regulations that Canadian business owners need to be aware of

Canadian business owners need to be aware of certain articles within the GDPR that directly affect their operations and business.

Article under GDPR Regulation  Description of the article 
Articles 17 and 18 1. Gives consumers control over their personal data, especially if it is processed automatically by a website or system. The right to portability allows consumers to transfer their personal data between service providers much more easily than before.
2. Consumers also have the right to erase if they wish to delete the personal data. 
Articles 23 and 30 1. Both the article requires companies to protect data and have in place necessary measures that ensure data protection. This ensures protection against exploitation, unduly exposure, and misuse of data.  
Article 31 and 32 1. Article 31 requires that data controllers to notify any supervisory authorities about a personal data breach within 72 hours of initially learning of said breach with details which include the nature of the breach and how many data subjects are affected.
2. Article 32 requires that data controllers to notify data subject as soon as possible that their data was breached or lost, especially when their rights or freedoms are placed at risk.
Articles 33 and 33a Articles 33 and 33a pertaining to Data Protection Impact Assessments require companies to preemptively identify risks to their customers’ data and perform Compliance Reviews. 
Article 35 Article 35 requires the company handling data of customer or subject’s health, demographic information, genetic information, or other important data must appoint a designated data protection officer who may advise the company and work as an intermediary between supervisory authorities and GDPR officials.
Articles 36 and 37 Outlines the position of data protection officer and make sure that the responsibilities given are clear. It further involves establishing procedures for supervisory authority reporting and ensuring GDPR compliance.
Article 45 It is an extended data protection law requiring international companies to identify whether they are subjected to GDPR if they handle data about EU citizens.
Article 79 Requires organizations to be compliant or face penalties for non-compliance. 

Consequences of Non-Compliance to GDPR Compliance in Canada

GDPR Compliance in Canada has severe consequences for organizations found non-compliant. In this new legislation, supervisory authorities have the powers to perform audits to ensure compliance, issue warnings, demand that companies make specific improvements, prescribe deadlines for those improvements, order the erasure of citizens’ data, and prevent companies from transferring data to other companies. Additionally, under GDPR any non-compliance fine is determined based on the circumstances of the error. Non-compliance may also include fines of up to two or 4% of global annual turnover, or €10 million or €20 million, whichever is greater.

Conclusion 

Canadian companies who have already been PIPEDA-Compliant may find that the majority of their data infrastructure is already GDPR-Compliant. The Personal Information Protection and Electronic Documents Act outlines rules for the collection, use, and disclosure of Personal Information for all Canadian private businesses. So, those organizations already Compliant with the PIPEDA Act and looking to achieve GDPR Compliance may find it a lot simpler.   You can also rely on your PIPEDA Compliance procedures to initiate your process of GDPR Compliance in Canada. Although, it is still important to be aware of the major differences between GDPR and PIPEDA to bridge the gap. This is when experts like us at VISTA InfoSec come into the picture to provide organizations with end-to-end assistance in Compliance.

VISTA InfoSec is a reputed Cyber Security Consulting Service provider offering comprehensive Compliance services. Having served the industry for nearly two decades, we can help you ease your journey of achieving GDPR Compliance. For more details on our GDPR Compliance services you can drop us a mail on info[@]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.