Ready or not, Canadian business may face sanctions under EU’s GDPR privacy law

TORONTO — Any Canadian business that collects personal information about residents of the European Union —whether they’re tourists, students or online customers —risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.

But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU’s General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.

“Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this,” Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.

That’s equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.

Besides having potentially hefty fines, the GDPR’s scope is also sweeping.

It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.

One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules _ plus the potentially devastating impact of being hit with a fine for violating the law.

Among those raising the alarm is Jake Ward, a spokesman for the recently formed Data Catalyst advisory council, which aspires to educate policy makers and businesses about the importance of the data-driven economy.

“Now, I’m not saying that it’s a bad bill, because I don’t necessarily think it is,” Ward said in an interview.

“But there could have been some steps taken to appreciate that the challenges of small businesses is different from the large.”

For example, he said, a fine of four per cent of annual revenue would be very painful for a large company like Facebook or Google but “that’s a death sentence for a small company that gets hit with a GDPR fine.”

While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.

However, it may impose the biggest fine applicable in a particular case and the ultimate maximum fine could be either 20 million euros (C$30 million), or four per cent of a company’s annual global revenue, whichever is greater.

Brown said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready too.

A top priority for them, she said, is to respond quickly if somebody requests access to their personal information or corrections to what’s on file about them _ both rights recognized by the GDPR.

“Smaller businesses in Canada may fly under the radar for awhile, because the supervisory authorities are going to have to prioritize, but if somebody lodges a complaint — they’re going to come,” Brown said.

“From a financial, from a legal and a reputational perspective, you really don’t want a European supervisory authority knocking on your door.”

They can begin to protect themselves by having a process in place for dealing with GDPR issues, as soon as possible, Brown said.

“Do an inventory of the data you have, understand why you have it and document it.”

It’s also important to be able to locate the information, which may reside in multiple places such as an in-house system, on a “cloud” service on somebody else’s servers, or on a mobile device like a smartphone, said Matthew Tyrer, a senior manager at the Ottawa office of data protection company Commvault.

The arrival of GDPR has been an opportunity for Commvault as well as any Canadian company that can demonstrate it has taken the effort to protect their customers’ personal data, Tyrer said.

“It will just make you that much more competitive and these are things we should probably have already been doing in the first place, when you look at the basics.”

David Paddon, The Canadian Press

Note to readers: This is a corrected story. A previous version incorrectly spelled the first name of Jake Ward.

Just Posted

Cannabis facility proposed for Clearwater County

Cannabis production facility proposed south of Caroline would produce 30,000 kg of cannabis a year

Two Central Alberta country singers are finalists in career-launching contest

They will attend music industry ‘boot camp’ this summer

Transit changes to aid Burman University students

An additional evening trip and student bus passes to be in place by fall

WATCH: Province, Maskwacis Cree Nations sign educational agreement

Funding and support will help the First Nations develop a Cree-based curriculum

WATCH: Red Deer celebrates World Refugee Day

The Central Alberta Refugee Effort hosted multiple events around Red Deer Wednesday

New Jersey Devils forward Taylor Hall wins Hart Trophy as NHL MVP

LAS VEGAS — Taylor Hall has won the Hart Trophy as the… Continue reading

Red Deer high school student psyched for SHAD

Lindsay Thurber’s Kaden Nivens will head to Newfoundland for the annual program in July

Red Deer College team tackles lack of Indigneous inclusion in research projects

A local college research team has completed a lengthy project examining the… Continue reading

Officials make case against parents accused of child abuse

RIVERSIDE, Calif. — Prosecutors made their case Wednesday against a Southern California… Continue reading

Manitoba educational assistant sentenced to 3 1/5 years for sex with student

WINNIPEG — A former educational assistant in Winnipeg has been sentenced to… Continue reading

Conservatives can ‘win anywhere,’ Scheer says in welcoming Richard Martel

OTTAWA — Conservative Leader Andrew Scheer welcomed the newest member of his… Continue reading

Fans grieve as detectives search for XXXTentacion’s killers

DEERFIELD BEACH, Fla. — For hours, the fans came in a steady… Continue reading

Canadian steel not a national security threat on its own: US commerce secretary

OTTAWA — The U.S. commerce secretary says Canada is not a national… Continue reading

Most Read


Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month