New regime may blindside companies

Study shows most Canadian businesses are unprepared for EU’s General Data Protection Regulation

A RECENT DELL INC. SURVEY shows that Canadian companies are among the many organizations around the world that lack awareness of and preparation for the European Union’s new General Data Protection Regulation (GDPR), which comes into force in May 2018.

The GDPR, which creates a comprehensive regulatory regime for handling the personal information of EU citizens, has extensive extraterritorial reach.

“The regulation doesn’t just apply the standard territorial analysis that affects companies who have an office, a server, or employees located in the EU,” says David Elder of Stikeman Elliott LLP in Ottawa. “It also applies to any organization located anywhere in the world that offers goods and services to the EU or monitors the behaviour of EU residents.”

The legislation has considerable teeth. “Maximum fines can amount to four per cent of a company’s global revenue, or €20 million, whichever is greater,” says Florian Malecki, International Product Marketing Director for SonicWall, an internet security company headquartered in California and a Dell subsidiary. Despite the potential consequences, however, the Dell survey shows that more than 80 per cent of respondents knew few details or nothing at all about GDPR; fewer than one third of companies felt prepared for GDPR; 70 per cent of IT and business professionals said they were not, or didn’t know if their company was prepared for GDPR; and only three per cent of these respondents had a plan for readiness.

The hard data is even more daunting because the respondents included only those IT and business professionals responsible for data privacy whose organization had more than 10 per cent of its customer base in Europe.

Respondents came from the US, UK, Canada, Asia Pacific, Germany, Sweden, Benelux, France, Italy, Spain and Poland. Results from US and Canadian respondents, who made up some 200 of the approximately 800 individuals queried, reflected the survey’s general findings.

“I saw nothing that sticks out that might indicate that Canada or the US are any different from the rest of the world regarding their awareness and preparation for GDPR,” Malecki says.

“In fact, the greatest exposure seems to be from companies outside the European Union who are dealing with European customers, because their level of awareness is even lower than average.”

The survey sampled small and medium-sized enterprises (SMEs) as well as very large companies. “I wasn’t as surprised at the results from SMEs as I was at the overall lack of awareness in the larger respondents,” Malecki says.

While Canadian companies may have less to worry about than their US counterparts because Canadian privacy laws more closely approximate the GDPR, there are significant differences.

“The GDPR requires breach notification, which is a requirement only in Alberta and is coming down the pipe on the federal level,” Elder says. “As well, the GDPR requires more explicit, compartmentalized and granular consent than the general consent required in Canada.”

In other words, Canadian companies affected by GDPR will need to break down the purposes and uses to which they will put personal information in a finer fashion in order to give greater choice to individuals who are consenting. “We don’t know yet what the GDPR consent requirements will look like exactly, but the issue is causing concern here,” Elder adds.

The upshot is that it’s not too early for Canadian companies to start looking at the GDPR. “At the very least, companies will want to do an initial assessment to see how they are affected so that they can ensure a seamless transition,” he says.

More particularly, Elder believes that companies should among other things start thinking about whether they want to incorporate different forms of notice, stop certain practices, and have separate websites for EU customers.

For its part, Dell recommends that affected companies should start to address all GDPR requirements by beefing up solutions for access governance and management, secure mobile access, email security, as well as for protecting the perimeter of their networks.

The good news is that it’s still early enough to consider compliance in an orderly fashion. “I wouldn’t say it’s time to panic quite yet,” Elder says. “But others may certainly disagree.”