Ready or not, Canadian business may face sanctions under EU's new privacy law
Experts say many Canadian firm have only recently become aware that they may be covered by new EU policy
Any Canadian business that collects personal information about residents of the European Union — whether they're tourists, students or online customers — risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.
But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU's General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.
"Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this," Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.
That's equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.
Besides having potentially hefty fines, the GDPR's scope is also sweeping.
It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.
One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules — plus the potentially devastating impact of being hit with a fine for violating the law.
Among those raising the alarm is Jake Ward, a spokesman for the recently formed Data Catalyst advisory council, which aspires to educate policy makers and businesses about the importance of the data-driven economy.
"Now, I'm not saying that it's a bad bill, because I don't necessarily think it is," Ward said in an interview.
"But there could have been some steps taken to appreciate that the challenges of small businesses is different from the large."
For example, he said, a fine of four per cent of annual revenue would be very painful for a large company like Facebook or Google but "that's a death sentence for a small company that gets hit with a GDPR fine."
While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.
However, it may impose the biggest fine applicable in a particular case and the ultimate maximum fine could be either 20 million euros ($30 million Cdn), or four per cent of a company's annual global revenue, whichever is greater.
Brown said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready too.
'Under the radar'
A top priority for them, she said, is to respond quickly if somebody requests access to their personal information or corrections to what's on file about them — both rights recognized by the GDPR.
"Smaller businesses in Canada may fly under the radar for awhile, because the supervisory authorities are going to have to prioritize, but if somebody lodges a complaint — they're going to come," Brown said.
"From a financial, from a legal and a reputational perspective, you really don't want a European supervisory authority knocking on your door."
They can begin to protect themselves by having a process in place for dealing with GDPR issues, as soon as possible, Brown said.
"Do an inventory of the data you have, understand why you have it and document it."
It's also important to be able to locate the information, which may reside in multiple places such as an in-house system, on a "cloud" service on somebody else's servers, or on a mobile device like a smartphone, said Matthew Tyrer, a senior manager at the Ottawa office of data protection company Commvault.
The arrival of GDPR has been an opportunity for Commvault as well as any Canadian company that can demonstrate it has taken the effort to protect their customers' personal data, Tyrer said.
"It will just make you that much more competitive and these are things we should probably have already been doing in the first place, when you look at the basics."