Now that GDPR is in effect, what's next? Canada, which has a law similar to GDPR, offers a glimpse of a likely future.
There is no doubt the technology industry will be greatly impacted by the implementation of the General Data Protection Regulation (GDPR). Top global data companies are having to rethink and restructure many of their policies and procedures in order to become GDPR compliant.
GDPR will undoubtedly transform the way businesses in the technology industry operate. There are ever increasing amounts of data produced daily, and much of it is personal – and it is being used, processed and stored for a multitude of reasons by tech companies. This is just the beginning. We can expect more on the horizon in how countries – and companies – address global data privacy and security.
A recent Microsoft statement points succinctly to the potential impact. “While the regulation applies to companies of every sort, much of the practical burden falls on the tech sector. This is due in part to the large amount of information held by online firms, but it’s also because, with digital transformation trends, every company is relying more on cloud services. For Microsoft and other tech companies that provide these services, architectural and engineering changes that support GDPR’s new requirements are foundational not only for ourselves, but for all our customers who use our services to store or process consumer information.”
Many in the tech industry point to four of the GDPR’s requirements as the most challenging to meet:
- Documentation of all “personal data” the company has processed or stored and being able to delete it or provide it to the individual upon request
- Hiring Data Protection Officers (DPOs), a significant and new expense for many companies
- Identifying and reporting data breaches within 72 hours
- Provisions allowing customers to download and take away their data, potentially giving it to a competitor
Consent will be one of the greatest challenges of the GDPR for companies in the tech industry and cause many issues for companies that share data, as well as for the cloud service providers, which host information in data centers on behalf of other companies. The GDPR sets a high standard for consent, defining it as “offering individuals genuine choice and control,” with the responsibility for consent being placed on the company to not only ask for an individual’s permission, but also maintain records regarding it.
Canada – A useful comparison
While existing and emerging requirements of countries and regions do – and will – vary, Canada offers a useful comparison, as it has a well-established legal regime supporting data privacy. This provides Canadian organizations with a heightened level of familiarity with privacy and regulatory compliance. However, the differences between EU and Canadian privacy frameworks provide insight into what companies around the world will likely face going forward.
Among the most significant operational differences between Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) relating to data privacy) and GDPR, according to Pablo Rodriguez, Vice President of Strategy and Commercial Policy for Legal and Tax & Accounting in Canada, is the approach to consent as a legal basis for data processing. The GDPR is more flexible than PIPEDA in that it permits organizations to collect, use and disclose personal information based on specific grounds, such as the performance of a contract or legitimate interests. Other points of comparison per Rodriguez include:
- Both PIPEDA and the GDPR grant individuals the right to access the personal information that organizations have about them. However, the GDPR also introduces a right to “data portability.”
- GDPR grants individuals the right to be forgotten, permitting individuals to require organizations to “erase” personal information in a number of circumstances. Under PIPEDA, the obligation to destroy data is qualified, as it is under the GDPR, for other countervailing legal obligations or rights, such as compliance with another data retention law.
- At present, there are no mandatory data breach reporting provisions in force in PIPEDA but breach notification will be required later this year, with fines for non-compliance. However, amendments have been passed in the Digital Privacy Act, 2015 to address breach reporting. Companies will find there is significant overlap between breach provisions in the Digital Privacy Act and those in the GDPR.
- Canadian organizations preparing for the data breach provisions in the Digital Privacy Act will likely find an incremental compliance obligation under GDPR, specifically, to ensure that the potentially broader definition of a breach under the GDPR is captured in breach response planning, and to ensure that breaches are reported within the tighter timeframe required under the GDPR.
There are additional differences between the new European law and Canada’s. While both PIPEDA and prior European directives placed the burden of responsibility on the data controller (the company handling sensitive data), the GDPR places legal responsibilities on the data processor. Third-party service organizations hired by controllers that have access to sensitive data are considered processors, e.g., cloud service providers and call centers.
Canadian organizations that comply with PIPEDA have the advantage in terms of having already set up privacy policies and practice. However, Canadian organizations affected by GDPR will need to carefully review the additional areas of compliance given its stricter consent mandate, right to be forgotten and data portability requirements.
The work of becoming GDPR-compliant has been a significant focus for the legal, data/tech and marketing groups of many companies over the past year. However, it’s worth calling out that companies (in particular, technology companies) need to recognize that May 25th is not the end game and that GDPR will not be a “one and done” exercise.
Compliance with existing requirements, and the need to remain agile as new requirements (and interpretations) are introduced globally, will be ongoing work for enterprises for the foreseeable future. As technology companies look ahead (and while the U.S. is unlikely to pass similar regulations under the current administration), GDPR provides both an important model and framework for many other countries in addressing data privacy, data security and personal data collection.