Privacy: The New Standard

The EU’s new regulation will change everything about how customer data is stored and processed.
THE GENERAL DATA PROTECTION REGULATION is coming, and in-house legal departments are staffing up, if they have not already. To help clients prepare for the May 25, 2018, enactment of the new European Union privacy law, Lyndsay Wasser of McMIllan LLP has prepared a breakdown of the most important provisions for Canadian companies and suggested a number of steps to ensure compliance. This does not constitute legal advice. These provisions, and Wasser's recommendations, are outlined below.

Extraterritoriality: The GDPR applies to any company that offers goods or services to EU residents or monitors their internet use for purposes of behavioural advertising. Recommendation: Any such company is subject to the GDPR and needs to ensure compliance.

Consent: It must be freely given, specific, informed and unambiguous. Offering an opt-out choice does not appear to be sufficient to provide consent. Explicit consent is required for collecting data related to genetics, biometrics, racial or ethnic origin, political opinions, philosophical beliefs, union membership, health or sexual orientation. EU citizens must be allowed to object to direct marketing or profiling related to direct marketing. Consent is invalid if there is a clear imbalance of power, such as when service is conditional upon consent. Parental consent is required for anyone under age 16. Withdrawal of consent must be as easy as the original consent. Recommendation: Review consent documents and amend as necessary for EU use.

Accountability: The GDPR incorporates many concepts of “security by design” including assessing risk of data breach and potential harm to data subjects. Recommendation: Similar to Canadian legislation but “privacy impact assessments” may need to be implemented if they’re not standard practice.

Breach Notification: These are required without delay and generally within 72 hours. Recommendation: PIPEDA is imposing new breach notification requirements, but if EU citizens are affected, companies will need to consider differential risk and the 72-hour notice requirement under the GDPR.

Data Processors: Third-party processors must delete data after processing is complete and notify data collector of any breach. Data collectors are responsible for data protection by processors. Recommendation: Review arrangements for data storage and processing outside Canada if they involve EU data. Amend contracts as necessary.

International Transfers: Where there is no GDPR adequacy ruling, such as in the US, binding corporate rules must provide adequate protections. Recommendation: Review all processing of EU data outside Canada and amend outsourcing and subcontracting agreements as necessary.

Data Protection Officer: One must be appointed where processing involves regular and systematic monitoring of EU citizens or where it involves processing certain categories of data on a large scale. DPOs must have sufficient expert knowledge. DPOs have the right to insist on resources to perform responsibilities. Recommendation: Assuming the company has a chief privacy officer, review the officer’s duties and qualifications to ensure GDPR compliance.

Right to be Forgotten:  Subject to certain exceptions, data collectors must erase personal data upon request of the data subject or if the original purpose of collection has been fulfilled. Recommendation: Review policies on retention and disposal of personal data and ensure erasure requests can be honoured.