If you’re going to read one more story, blog or update on the latest changes to the GDPR, make sure it’s this one.
On June 12th, we presented at a local Meetup on a topic that hits home for many Canadian companies (including ours). You know the one. But in case you’ve been living under a rock since it came into effect on May 25th, probably trying to avoid the subject altogether in hopes it will go away (I don’t blame you), I’m talking about the European Union’s General Data Protection Regulation (GDPR).
While our Director of Software Services, Chris Venantius, was presenting on the subject at a Silicon Halton (a grassroots community and Social Enterprise dedicated to connecting and creating strong local relationships and business partnerships for hi-tech entrepreneurs and leaders) Meetup, he noticed two things that were alarming: 1) the number of business-owners unclear on how to remain compliant, and 2) the number of questions trying to demystify the regulations, including if it applies to their company.
We comforted the crowd by using recent practical experience with companies to help explain the potential process. Below are some takeaways from our presentation.
Does this apply to my company?
It applies to the processing of personal data, where the activity is related to offering goods or services, or monitoring of behavior, of all data subjects in the European Union, regardless of if the processing is done in the European Union or not.
What does that mean?
If you collect personal data and that person can be a member of the European Union, then there is a good chance GDPR applies to you. Keep in mind, something like a person’s IP address is considered personal data.
How is it enforced in Canada?
The onus is on the EU member states to enforce GDPR. Meaning, if you are found in violation, the appropriate European supervisory authority might come calling.
It is obviously easier for the EU to enforce if you have a physical presence in the EU. If you don’t, it becomes a bit more difficult as the EU relies on international law to enforce any penalty.
This will require cooperation between Canada and EU data protection authorities. Currently, the Office of the Privacy Commissioner is not responsible for enforcing GDPR.
What to remember before you discount GDPR
Many are calling GDPR the new gold standard for data protection. It might be a matter of time before Canada’s regulations (PIPEDA) is updated to become closer to GDPR expectations. Especially, if Canada wants to maintain adequacy status with the EU, that directly impacts how personal data can flow from the EU to Canada. Companies that you work with might require you to show proof of GDPR compliance in order to protect themselves in cases of a violation or data breach.
Steps to consider
- Very few companies are GDPR ready. Gartner predicts “…by the end of 2018, more than 50 percent of companies affected by the GDPR, will not be in full compliance with its requirements.” As GDPR is established, it is critical to be able to show you are on track to be compliant. That means having a plan, budget, initial assessments and target dates.
- Avoid boiling the ocean or reacting to the fear of catching headlines looking for GDPR business. Instead, do a high-level assessment of your current state and identify your risk areas to work on first.
- Define what is personal data in the context of your business – it is not just a person’s first and last name, but extends to activities and data that can be used to identify them.
- Perform a data assessment. It should identify the physical locations personal data is stored at rest and the methods of its transfer.
- Provide a business justification for the data points you collect to ensure you limit the collection scope.
- Update or create a data retention plan with the target to reduce the lifespan personal data is kept to the minimum feasible for your business.
- Ensure access to the data is restricted to the appropriate users with limited accessibility. Make sure you have a process in place to re-validate the access throughout the year.
A good first step of becoming GDPR compliant is making sure you take stock of what you collect, where you store it and how you use it.
After that, you can identify your risk areas to close your gap in compliance. Whether that is in properly securing your data through anonymization or pseudonymization techniques, obtaining proper consent for data usage, or having a process in place to fulfill data subject rights (DSR) requests.
Remember, GDPR is not a one and done. Our team has ongoing efforts in place to ensure our future development efforts maintain compliance. Do you?