GDPR for Businesses in Canada

What Canadian Businesses Need to Know About GDPR

You’ve probably noticed a couple of years ago a surge in websites with messages requiring visitors to approve their cookie policy. This is largely due to the introduction of new European data-privacy laws set in place to provide greater protection and rights to individuals. This article is to provide Canadian website owners fundamental understanding of what GDPR is and how to comply.


 

What is GDPR?

General Data Protection Regulation or better known as GDPR is a regulation which came into effect in March 2018 by the European Union (EU). This regulation applies to any business conducting business with, or in, the EU. Non compliance can result in big fines and can damage reputations. Canadians are not exempt by default and should take the following privacy controls and and policies into consideration. Here’s an overview of GDPR rights.

1. Right to data portability means individuals have the right to receive their personal data from your controller in a structured, commonly used and machine-readable format.

2. Right to erasure means individuals have the right to demand you "erase" or “delete” personal information without undue delay in most circumstances. There are some exceptions and for a deeper dive refer to the link to ICO at the bottom of this article.

3. Consent requirements means consent must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of an individual’s agreement to the processing of their personal data. It can not be bundled with other terms and conditions.

4. Data protection by design and by default means controllers are to adopt internal policies and implement appropriate technical and organizational measures to meet the principles of data protection by design and data protection by default. These include data minimization and privacy-protective default settings. 

5. Data protection impact assessments will become mandatory when processing data, particularly using new technologies, is likely to result in a high risk to the rights and freedoms of individuals.

6. Breach notification requirements means that data breaches are to be reported to the competent supervisory authority (of the EU Member State concerned) without undue delay, and where feasible, within 72 hours of the organization becoming aware of.

Do I need to comply?

This regulation affects anyone with clients, customers or website visitors in EU countries. In fact you would need to literally exclude people in the EU from accessing your website to be exempt. If that doesn't sound like a viable option then there are some rather straight forward steps to implement. That being said even if you don't have any business in the EU its a good idea to be compliant to protect the privacy of the people who use your site and t help with your PIPEDA compliance as well. Eventually the Canadian regulations will catch up to GDPR and being ready early will earn you the peace of mind early in the game. https://www.inorbital.com/Blog/Health-Care/Practical-Approaches-for-the-Personal-Health-Infor

How to to comply?

To comply with GDPR and other data protection regulations including PIPEDA its important to have the processes and technology to support these regulations and to understand how it impacts how you are doing business. Follow these tasks to get started with compliance.

1. Assign a Data Protection Officer (DPO) and create a Data Register

   1. Organizations need to designate an individual as the DPO. They should have significant expertise, resources, responsibilities and independence in the organization, to be engaged if the breach or activities are “large-scale.”

   2. Keep a log or registry of GDPR processes. The objective here is to be able to prove to the Data Protection Association (they are responsible for enforcing GDPR) that the processes are in place and are being followed. Basically documenting or journaling your organizations implementation. The better the Data Register the less chance for a fine if a breach occurs. A corporate intranet is an ideal place for this documentation but even keeping a spreadsheet will suffice.

2. Classify your data - Find your existing area of collecting and storing Personal Identifiable Information (PII). Document a) where it is stored, b) who has access to it, c) who it’s being shared with. You may have online subscription forms or content that requires registration or even a simple contact form that are the obvious culprits but even website cookies can store PII. Next determine what data is more vital to protect, based on this classification.

3. Document procedures for each of the requirements. The primary intention here should be to protect the user’s privacy. Assess and document where the website might be vulnerable. Have a plan to shore up each of these vulnerabilities. This is key is to be able to demonstrate to the DPA that you are taking action to comply. Adding a simple “I agree to the cookie policy” is an example of an actionable compliance task but this alone will not suffice. Its always best to remove any PII collection if possible but we know this isn't always the case so make a plan and follow it.

4. Audit and revise. This step is to ensure that your procedures are working and to revise where they are not. When implementing the revised measures make sure to consider security at the forefront. Its super important to that you are active in planning and circumventing PII breaches in order to avoid fines.

Next steps.

Having the tools and technology in place will make the path to compliance rather straight forward and less daunting. Here at Inorbital we start with Kentico Xperience CMS as the foundation to a well built website which includes the features necessary for effortless GDPR compliance. This includes keeping track of consents and letting your visitors update their privacy setting supporting the right to access, data portability, and the right to be forgotten.

With extensive documentation we make it easy for you to locate data and navigate to what you need. There’s even integrated consent management, to create, store, update, or archive consents in the Data Protection app. This way we can keep track of consents and display them to website visitors where needed using widgets and form controls.

 For Portability compliance the CMS provides personal data in a machine-readable format and allows you to export personal information and import it to another system easily.

You can also respond to demands for personal data deletion from your visitors with ease. Where you can selectively delete relevant data and comply with the strict deadlines imposed by GDPR and other international data protection regulations.

Contact us to implement the technology to ensure your compliance and peace of mind.

Further Reading.

To learn more visit the ICO (Information Commissions Office) the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.