I am looking forward to the next IAPP Canada Symposium, as I always do, and this time I am wondering if now Canadian companies are finally going to start doing something about the GDPR. I spoke two years ago about the state of our laws ; I spoke last year about what Canadian companies need to do with regard to complying with the GDPR . The reason for the title is simple; we have been very comfortable with our ‘adequacy’ finding, but the transfer of data under our adequacy finding is not by itself adequate to deal with the requirements of GDPR. In contrast, there is work being frantically done in the US and the EU to address GDPR compliance. Until this point, the understanding that GDPR means something consequential for Canada, has not seemed to instigate more than conversations about possibly getting someone on board to take charge. But time is running out; as of May 15, 2017 there are only 263 working days, not including vacations, between now and May 25, 2018 when GDPR comes into effect. If a Canadian company is doing business in Europe, then yes it can (with certain qualifications) bring personal data without need of model clause agreements or other mechanisms. However, that does not meet all the requirements of the GDPR. Canadian companies must if collecting information from EU residents act in all respects as a European company would – notably: The right to be forgotten – Canadian companies have to be able to act on a request by a European customer Record keeping requirements – you will need to have your Article 30 records of processing, just as any EU company would Data protection impact assessments – you will need processes to meet Article 35’s requirements when you trigger its requirements, and document your DPIAs Appointment of DPO where warranted – you may need to have someone appointed as a DPO, perhaps in individual countries, where your business is primarily processing personal data, and the expectations for this may rise depending on national derogations Onward transfers – Article 28 of the GDPR requires adequate protection for onward transfers from Canada elsewhere, as well as restrictions without the controller’s approval Representative office in Europe – if you don’t have a physical presence there, you will need to appoint a representative office Data breach reporting – new for a lot of Canadian organizations, you will need to report within 72 hours a data breach to your lead regulator (and of course, you know who that is, right?) Enforcement – fines of up to 4% of global revenue or EU20 million, whichever is greater If you are a data processor – a service provider to an EU company – then you are not off the hook. The obligations will be passed on by contract to you in any event through data transfer agreements as your customer are obliged to do so – and you are also subject to the requirements of the GDPR directly, for pretty much the same things I have set out above. The fines will be 2% of global revenue or EU10 million, but note this doesn’t let your client (the processor) off the hook – you can both be found liable independently. What can Canadian companies do? There are no silver bullets; this is going to require work. You need to update your privacy program to address the requirements of the GDPR. Some Canadian companies, because they have been doing what they should under PIPEDA or provincial laws, will be in a good position with some additional activities and capabilities. For the rest, it is quickly going to become a question of what they can do in the time that remains, and it means prioritizing based upon risk. In any event, if you don’t have a plan, now is the time to get moving on it.
Following on my (apparently) popular nightmare subject-access request and letter from a DPA… The GDPR provides for a number of remedies for individuals in regards to their personal data, that will put companies through their paces: rectification; the right to be forgotten and erasure; data portability; and objection to and restrictions on processing. The natural next step when someone has written you an annoying letter to find out what a company knows about a data subject, and how it is handling their personal data, is for the author to start exercising those rights. This gets harder to do in the natural flow of a letter, because of course, the exercise of these rights can arise in so many scenarios. I wanted to highlight individual elements of what data subjects can ask under the GDPR. They may not all come at once, but through the death of a thousand paper cuts, in a series of postcards from hell: 1. Let’s get rectified. Based on the information that you have provided to me in my subject-access request, it appears you have collected a profile on me based on my purchases. The fact that I am buying a lot of toilet paper is no one’s concern but my own; and it is not due to anything other than I have a lot of guests, not as is implied in the profile, that I am having some kind of organic issues. Please rectify this as soon as possible, as I now understand why I am receiving invitations to purchase medication. 2. Transfer this. I note that you have been transferring my personal data, namely my meal choices on flights, to the United States, and you have indicated that the basis on which you are making that transfer is based upon the EU-US PNR Agreement . The inferences being drawn from my being a vegetarian are that I am in a suspect group and am being profiled on that basis, which is why I am routinely pulled aside for “random” searches whenever I visit the United States. I request that you delete all information concerning my meal choices that you have collected on me. 3. Your vendor is infectious. I request you delete my contact information from your customer service vendor in India. I had one interaction to get support for my software a year ago – and now I routinely get calls from India insisting my Windows computer is infected (I own a Macintosh), so your outsourced vendor is not keeping my information confidential. Please confirm that you have followed up with any organization with whom my contact details have been shared with by your vendor. And in future, please restrict processing of my data to my software subscription maintenance. 4. Let my data go. I have been using your free budget management program on the Internet and now that I understand you are storing my financial and purchase data in countries which have a high rate of identity theft, I no longer wish you to have my data. Prior to deleting it, I would like to ask you to provide all my data in a CSV format that I can use to export to a system which stores its data in the European Union. Please use the attached schema which will support the import into the new system I wish to use. 5. Taking a gamble you have it right. I have been receiving direct mail from you both by the post and in my e-mail. I am in risk management and I attend conferences on privacy and risk management. I assume that is how you got my contact information, but I do not understand how this got linked to gambling. I don’t find gambling interesting and I don’t know why you would assume that I would want your magazine on gambling, or your e-mails to let me know about gambling events, and the connection with gambling is embarrassing and potentially damaging to my career. Stop sending me anything more and remove my name and address from your lists in relation to gambling. ( Yes, the last one happened to me ).
