Understanding GDPR Security & Privacy Implications for Canadians
Privacy and the collecting of consumer data is a growing concern among Canadians. Last year had the massive Equifax Data Breach, and with the Facebook advertising vulnerabilities coming to light, it is a good time to discuss Europe’s new policies on online privacy: the GDPR.
The European Union is adopting a new framework for data protection. The laws (known as the General Data Protection Regulation, or GDPR) currently in a grace period, will be enforced as of the 25th of May, 2018.
When the GDPR does come into effect, its impact will surely be felt in Europe but also across the globe.
GDPR: Why it matters to Canadians
With GDPR, substantial fines may be levied for failure to adequately protect user data:
Up to 20 Million Euros or 4% of a company’s annual global revenue, whichever is greater.
This fine can be incurred by any company, inside or outside the EU, that collects ‘personal data’ of EU citizens and does not comply with GDPR regulations Thus, even a blog that receives EU visitors and collects data through Google Analytics must be aware of the GDPR.
‘Personal data’ does not mean every single piece of data collected but it does encompass a great deal:
"[A]ny information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." 1
Personal data refers to any piece of information (referred to as “identifiers”) that could pinpoint a specific individual. Companies both large and small must ensure the data they collect is properly anonymized.
What does this mean for customer files?
Many companies have software that helps them manage their clients, containing information specific to an individual, i.e. name, phone number, address etc. This information is necessary for a business to operate for customer care and billing, so what can be done?
This is where consent comes into play.
Consent, under the GDPR is rigorous:
"If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language." 2
But there is more! Besides personal data and consent there are a few additional areas of concern.
Other Key Points of the GDPR
GDPR is designed to protect EU citizens from having their data used in ways that they do not wish as well as to lessen the impact of data breaches. To aid in this effort, the GDPR focuses on certain rights and oversight procedures. Here are some of the key points.
Right to access: Any EU citizen has the right to ask for and obtain any information the company has on them. The company must be clear about how the data being processed and provide the client a copy of the data.
Right to be forgotten: If data is shown to no longer be relevant for its original purpose, an EU citizen has the right to have the data erased.
Data protection officers: Any large-scale organization (250 employees or more) that monitors or processes personal data must have a data protection officer (sometimes to as a Privacy Officer) to oversee the data protection strategy. This could be an existing employee or a new hire, but a qualified individual must have expert knowledge in GDPR compliance.
Thanks to technology, the world has become far more interconnected. Yet this interconnectedness means that online laws and regulations become a global concern as ‘virtual borders’ can be crossed with the click of a mouse. We will have to see how the GPDR is enforced to truly understand its impact but considering the risks involved with non-compliance, Canadians should take steps to protect their clients, website visitors and businesses.
How are you currently protecting your client’s confidential information? We’d love to hear your comments, concerns, and ideas in the comments below!