General Data Protection Regulations (GDPR)

The rapid expansion of the internet and data processing capabilities has led to greater concerns for the protection of personal data. This has resulted in the implementation of the EU General Data Protection Regulation (the “GDPR”), which came into force on May 25, 2018, and replaced the Data Protection Directive 95/46/EC. The GDPR aims to give individuals greater control over their personal data by raising the standards for privacy.

As a result, organizations in Ontario that have any affiliation in the EU will have to change the way they process, store, and protect the personal data of EU citizens.

The Data

The “data” that the GDPR regulates includes any information related to a person (a “data subject”) that can be used to directly or indirectly identify the person. This can be anything from a name, a photo, an email address, bank details, ID numbers, a location, posts on social networking websites, medical information, or a computer IP address.  

Territorial Scope

A significant aspect of the GDPR is that it has a very broad territorial scope, as it applies to any organization that collects, processes, manages, or stores the data of EU citizens. The location of the actual organization is irrelevant. It is important to emphasize that the application includes organizations or their affiliated processors who are not established in the EU, but who process the personal data of people who are themselves in the EU.

The GDPR therefore applies to organizations in Ontario if they have any presence in the EU, if they offer goods or services to individuals in the EU, or if they process or monitor personal data of individuals in the EU.

The Rights of Data Subjects

(i) Consent

Organizations can no longer use long illegible terms and conditions to gain consent. Instead, consent must be freely given as a clear opt-in, separate from other matters, and provided in an accessible form using plain language. Parental consent must also be obtained by the organization prior to processing personal data of children under the age of 16.  

The data subject shall have the right to withdraw his or her consent at any time, and this should be as easy to do as it was to give the consent.

(ii) Transparency

Data subjects have the right to obtain from the organization a confirmation of whether or not their personal data is being processed, where, and for what purpose. The organization shall also provide an electronic copy of the personal data upon request, free of charge.

(iii) Erasure

Another key section of the GDPR is article 17, which outlines a data subject's “right to be forgotten”. This provides them with the entitlement to request the erasure of all personal information an organization has about them, and that it will be done without undue delay.

If this right is invoked, organizations will also need to communicate with any other entities who might have had this data, and inform them that the consent has been revoked. This could occur if the data was made public.

(iv) Data Breach

In the case of a personal data breach, the organization shall notify the supervisory authority under the GDPR. This notification must be made without undue delay, and if they take longer than 72 hours, then they must provide a legitimate reason for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, then in certain circumstances listed in Article 34, section 3 of the GDPR, the organization shall also communicate the breach to the data subjects.

This broad requirement makes it very important for Canadian organizations to be able to manage their data and secure its integrity in order to be able to respond within 72-hours of any data theft, loss, or damage.

Representatives and Officers

If the organization or processor is outside of the EU, they must designate in writing a representative in the EU, unless the processing is merely occasional or otherwise meets the conditions listed in Article 27, section 2 of the GDPR.  This representative is meant to receive communications for all issues related to processing addressed to the organization by the EU data protection supervisory authorities and by data subjects.

One additional way in which the GDPR imposes internal compliance mechanisms for organizations is through a data protection officer (“DPO”). All organizations are free to appoint a DPO, however they will be compelled to do so if one of the following conditions applies:

1. organization is a public authority;
2. part of the organization’s core activities requires regular monitoring of individuals on a large scale; or
3. part of the organization’s core activities requires large scale processing of sensitive personal data, such as relating to criminal convictions and offences.

The DPO’s role includes informing and advising the organization of its obligations under the GDPR, and monitoring compliance and requirements relating to privacy impact assessments, data security, and the rights of individuals. The DPO also acts as a contact point for the supervisory authority.

Compliance

The organization (data controller), data processor, and the DPO all must be in compliance. A third-party processor not in compliance equates to the organization not being in compliance.

Most organizations will need to be able to prove they are complying with the law, and upon request, must produce evidence to support how they are complying. This means having paperwork documenting what personal data is used by the organization and how.

The price of non-compliance can be high, with there being two tiers of fines that can be incurred for violations. The first is a fine of up to €10 million, or 2% of the organization’s global annual turnover, depending on which is higher. The second is a fine of up to €20 million, or 4% of the organization’s global annual turnover.

For more information, an easily-assessible electronic copy of the GDPR can be found here: https://gdpr-info.eu/