Ready or not Canada, here comes GDPR privacy law
TORONTO Any Canadian business that collects personal information about residents of the European Union —whether they’re tourists, students or online customers —risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.
But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU’s General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.
“Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this,” Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.
That's equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.
Besides having potentially hefty fines, the GDPR’s scope is also sweeping.
It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.
One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules _ plus the potentially devastating impact of being hit with a fine for violating the law.
Among those raising the alarm is Jake Ward, a spokesman for the recently formed Data Catalyst advisory council, which aspires to educate policy makers and businesses about the importance of the data-driven economy.
“Now, I’m not saying that it’s a bad bill, because I don’t necessarily think it is,” Ward said in an interview.
“But there could have been some steps taken to appreciate that the challenges of small businesses is different from the large.'”
For example, he said, a fine of four per cent of annual revenue would be very painful for a large company like Facebook or Google but “that’s a death sentence for a small company that gets hit with a GDPR fine.”
While the EU intends for its fines to be a real deterrent to breaking the privacy law, it does take into account a number of factors, such as whether the infringement is intentional or negligent, the actions taken to reduce damage to the individuals, and preparations in place to prevent non-compliance.