As information crosses international borders at an unprecedented rate, privacy and security of data remain one of the top concerns for Canadian businesses.
We have been discussing PIPEDA lately and how domestic data protection laws have been dictating data collection, storage, usage and management by businesses in the country. However, despite many attempts to protect sensitive information, several cybersecurity challenges including breaches, malware, ransomware and third-party phishing attacks, are on the rise.
Last year in May 2018, European Union overhauled its General Data Protection Regulation (GDPR). It was an attempt to put together a more coherent data protection legislation for EU member states.
Also, this is a prime example of how authorities worldwide are pushing to more clarity in data privacy laws to cope with security challenges.
Cybersecurity is Important to GDPR’s Objectives
GDPR is basically designed to guide organizations in protecting the sensitive data of EU citizens. This includes any data which can be used to identify an individual, including medical records, financial or genetic information – mainly the information targeted in breaches.
The regulation asks all businesses to report certain types of data breaches to the relevant authority within 72 hours of becoming aware of the breach (when feasible). The aim is to upgrade data security and
• To unify protections applicable to the processing of personal data across all member countries
• Promote the protection of personal data of EU citizens in the global economy, no matter where the company is based
• Render individuals control over their data
• Help individuals understand what data is being collected and what is happening to their data
• Improve compliance by introducing significant penalties
Data Processing Depends on Extent of Compliance
Before preparing your IT security plans, Canadian businesses should understand the capacity to which the GDPR applies to their activities. The primary consideration here is the extent to which you process the personal data of subjects in the EU.
Also, the extent of GDPR will depend on the extent of processing activities targeted towards individuals in the EU, for instance,
- Offering goods or services to individuals
- Monitoring the behaviour of individuals
Here we would press that the GDPR’s scope is not limited to organizations with a physical presence in the EU or merely to the businesses who are actively or intentionally targeting consumers in the EU. In fact, the entire process of data processing is heavily scrutinized to lessen the possibility of breaches and other security threats.
GDPR Obligations are Essentially to Increase Data Security
If your activities in the EU are neither material or strategic to your organization, then it would be more feasible to restrict your activities and make them fall outside the scope of GDPR. For example, you may elect not to process personal data from individuals located in the EU.
But if it is not possible or desirable to restrict, you’ll have to comply with the obligations defined by the GDPR. These are essentially to increase data security for the data subject and include:
Obligations on Both Controllers and Processors: While Canadian privacy laws are more direct on the controllers (the person who defines the purposes and means of the processing of personal data) than the processors (the person who process data on behalf controller), GDPR imposes statutory obligations on both controllers and processors.
Consent for Processing: Under the GDPR, personal data can only be processed if your business meets specific requirements. Also “consent” has been narrowly defined in the GDPR as “freely given, specific, informed and unambiguous indication” This means opt-out consent is not an acceptable means.
Security and Privacy Design: The regulation requires controllers and processors to implement appropriate technical and organizational measures. This means you’ll have to ensure a level of security that is appropriate to the risk. In fact, there are various “by design and by default” obligations to implement data protection
Notifying the Breach: If there is any “personal data breach,” a controller must notify the regulatory authority within the specified timeframe. Also, if the personal data breach results in a high risk to the rights and freedom of the people, it should be notified immediately.
Automated Processing of Personal Data: Different provisions in the GDPR specifies automated processing of personal data and evaluates aspects relating to the natural person. This includes access, consent and objection regarding automated decision-making.
Right to Erasure: Data subjects have the right to have their personal data erased without undue delay. However, this will depend on the extent to which the information is vital for exercising the rights of freedom of expression and information.
Engage GRIP I.T for Compliance and Advanced IT Security
GDPR compliance can be a tough grind, especially in terms of cybersecurity planning. You will require a detailed strategy and collaboration with all stakeholders in your chain with the realistic solutions-based approach.
We can help you assess your current policies and identify gaps relative to the stipulations mentioned in the GDPR. Once you are aware of the shortcomings, we can prepare different security strategies and develop a plan to achieve compliance in the most effective manner.
There are various similarities between PIPEDA and the GDPR with some differentiating aspects. We help you head start with an additional effort to uncover the breadth of new obligations imposed on Canadian organizations.
Call us on 416.907.8181 to discuss GDPR compliance issues with our team today!