If your organization does business with citizens of the EU, then you’ll need to make sure you’re up to date with the new GDPR legislation. The General Data Protection Regulation will become enforceable on May 25, 2018, and the penalties for failing to comply can reach up to 4% of your global annual revenue.
The big question that many companies based in Canada have been asking over the past year is how the legislation concerns them. The first and most important thing to understand is that GDPR is designed to protect the privacy of all EU citizens. It doesn’t matter whether you don’t have a physical presence within any EU territory – if your activities involve collecting the personal data of any EU citizen, then you’ll need to be compliant.
GDPR will apply to your company if it meets any of the following criteria:
To avoid being hit by enormous fines and suffering severe damage to your reputation, it’s important to understand the purpose of the GDPR legislation. Unsurprisingly, the law aligns with Canada’s own PIPEDA law in many ways, which should make your journey toward compliance somewhat easier. However, there are some important differences between the two, so you’ll still need to conduct a separate compliance assessment for GDPR.
Unlike PIPEDA, GDPR defines two types of entities that must be compliant. There are Controllers, who decide how personal data is processed and for what purpose; and Processors, who process data on their behalf. For example, a cloud storage provider or a backup and disaster-recovery service might be considered a Processor. It is important that you understand this definition because, as a Controller, you’ll be legally obliged to conduct a Privacy Impact Assessment (PIA). Moreover, the responsibility falls on you to ensure that any company that processes data on your behalf is also compliant per their obligations as a Processor.
Since you don’t have much time left to become compliant, you’ll need to act as soon as possible by establishing a compliance roadmap. Once you’ve familiarized yourself with the legislation, you’ll want to start the process by identifying every data-bearing system and processor your business relies on. Create a complete list of internal and outsourced assets, including applications, file servers, backup and cloud storage facilities, hosted apps, and mobile devices. Once you have built a complete inventory of all your digital assets, you’ll be ready to conduct a risk assessment and deal with any potential gaps in compliance.
Although there is a great deal of crossover between PIPEDA and GDPR, GDPR introduces much stricter rules on data breach notifications and the appointment of a data-protection officer. By contrast, PIPEDA does not set any legal deadline for reporting data breaches, while GDPR demands that companies alert the relevant compliance authorities, as well as anyone affected by the breach, within 72 hours of it being discovered.
Once you’ve carried out a risk assessment and a thorough overview of your current compliance status, it will be time to fill in the gaps. The next thing you will need to do is appoint a data-protection officer who will be responsible for overseeing your data-protection strategy to ensure compliance. This member of your team will also need to routinely audit your business’s compliance efforts. This way, if you were to fall foul of the GDPR, you should have evidence to demonstrate that you took major steps to secure your data and protect customers’ privacy, therefore absolving yourself of a degree of responsibility.
Despite the extra costs and red tape involved in becoming GDPR-compliant, there are a few ways it can directly benefit your business. For example, as organizations struggle to keep up with ever-changing regulations, you could view compliance as a competitive advantage. Furthermore, given how quickly things change, it’s always wise to stay one step ahead when it comes to matters of compliance and security. In fact, Canada’s very own PIPEDA legislation is due to be updated later this year with some additions that will bring it closer in line with GDPR.
Achieving regulatory compliance is much harder if you’re running a small business and doing everything yourself. Dyrand Systems is here to make technology easier and more effective all while helping you meet your security and compliance obligations. Talk to us today to get started with a free assessment.