Ready or not, Canadian business may face sanctions under EU’s GDPR privacy law

TORONTO — Any Canadian business that collects personal information about residents of the European Union —whether they’re tourists, students or online customers —risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.

But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU’s General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.

“Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this,” Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.

That’s equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.

Besides having potentially hefty fines, the GDPR’s scope is also sweeping.

It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.

One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules _ plus the potentially devastating impact of being hit with a fine for violating the law.

Among those raising the alarm is Jake Ward, a spokesman for the recently formed Data Catalyst advisory council, which aspires to educate policy makers and businesses about the importance of the data-driven economy.

“Now, I’m not saying that it’s a bad bill, because I don’t necessarily think it is,” Ward said in an interview.

“But there could have been some steps taken to appreciate that the challenges of small businesses is different from the large.”

For example, he said, a fine of four per cent of annual revenue would be very painful for a large company like Facebook or Google but “that’s a death sentence for a small company that gets hit with a GDPR fine.”

While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.

However, it may impose the biggest fine applicable in a particular case and the ultimate maximum fine could be either 20 million euros (C$30 million), or four per cent of a company’s annual global revenue, whichever is greater.

Brown said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready too.

A top priority for them, she said, is to respond quickly if somebody requests access to their personal information or corrections to what’s on file about them _ both rights recognized by the GDPR.

“Smaller businesses in Canada may fly under the radar for awhile, because the supervisory authorities are going to have to prioritize, but if somebody lodges a complaint — they’re going to come,” Brown said.

“From a financial, from a legal and a reputational perspective, you really don’t want a European supervisory authority knocking on your door.”

They can begin to protect themselves by having a process in place for dealing with GDPR issues, as soon as possible, Brown said.

“Do an inventory of the data you have, understand why you have it and document it.”

It’s also important to be able to locate the information, which may reside in multiple places such as an in-house system, on a “cloud” service on somebody else’s servers, or on a mobile device like a smartphone, said Matthew Tyrer, a senior manager at the Ottawa office of data protection company Commvault.

The arrival of GDPR has been an opportunity for Commvault as well as any Canadian company that can demonstrate it has taken the effort to protect their customers’ personal data, Tyrer said.

“It will just make you that much more competitive and these are things we should probably have already been doing in the first place, when you look at the basics.”

David Paddon, The Canadian Press

Note to readers: This is a corrected story. A previous version incorrectly spelled the first name of Jake Ward.

Just Posted

Number of seniors who play bridge in Red Deer growing

Red Deer Bridge Club has been around for close to 60 years

PHOTOS: Buccaneers battle Wolfpack in AFL semifinal

The Central Alberta Buccaneers battled the Calgary Wolfpack in the Alberta Football… Continue reading

Raising awareness for Bikers Against Child Abuse

Second annual Raise A Ruckus Against Child Abuse was held at the Red Deer Radisson Hotel Saturday

Central Alberta Yogathon cancelled Saturday

Due to air quality concerns the fourth annual event will take place Sept. 15

City Hall Park construction begins next week

Construction to update Red Deer’s City Hall Park is set to begin… Continue reading

WATCH: Medicine River Wildlife Centre opens new playground

The grand opening of the playground was Saturday morning

Canadians fear for relatives trapped amid flooding in Indian state of Kerala

In the wake of deadly flooding in the Indian state of Kerala,… Continue reading

Indonesia’s Lombok island jolted by multiple quakes

SEMBALUN, Indonesia — Strong earthquakes jolted the Indonesian tourist island of Lombok… Continue reading

Afghan president calls for Eid cease-fire, Taliban to reply

KABUL — Afghan President Ashraf Ghani has called for a conditional cease-fire… Continue reading

Montreal may have less influence after October provincial election

MONTREAL — When Coalition Avenir Quebec Leader Francois Legault recently dismissed the… Continue reading

Privacy issue with online pot sales after legalization needs watching: experts

TORONTO — Buyers who have to provide personal information to purchase recreational… Continue reading

Range of reactions to possible holiday to mark legacy of residential schools

The federal government’s intention to enact a statutory holiday aimed at remembering… Continue reading

Wildfire smoke from B.C. gets in the way of mountain scenery for tourists

JASPER, Alta. — Smoke from wildfires that’s blanketing parts of Alberta does… Continue reading

Fast food chains look to capitalize on vegetarian, vegan trend with new items

The once meat-dominated world of fast-food and casual restaurants is starting to… Continue reading

Most Read


Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month