Important GDPR Requirements for companies in Canada and USA
The General Data Protection Regulation (GDPR) remains a scary mystery for many Canadian and USA companies with an online presence.
The GDPR, which is Europe’s most comprehensive data privacy law, was enacted in 2016 but was only enforced starting in May 2018. Because both regulators and businesses are still in the process of solidifying its enforcement, there may be a lot of concerns over the requirements, especially for non-European businesses.
GDPR has far-reaching consequences. As a law, its applicability is not limited by the physical boundaries of the European Union (EU) or the European Economic Area (EEA). It has the power to influence companies based in the USA, which is the biggest trading partner of the EU, as well as in Canada and other parts of the world.
Applicability of GDPR
Before listing down the GDPR requirements, it’s crucial to clarify if GDPR applies to American companies. Broadly speaking, the GDPR applies to Canadian and USA companies because it is extra-territorial in scope.
Specifically, article 3 of the GDPR covers regulations over the “processing of personal data of data subjects who are in the union by a controller or processor not established in the Union”. The law clearly specifies that it applies to any controller or processor not established in the Union (or the EU), including those established in the USA and Canada.
Not all US and Canadian companies, however, need to know the GDPR back-to-back. The law is only applicable to companies dealing with information on certain “data subjects”. GDPR covers the processing of personal data of anyone who is in the EU or EEA, including citizens, residents, and even visitors.
Such is an essential clarification because the GDPR can cover even the personal data of American tourists in the EU.
Conversely, online businesses do not need to worry about GDPR when it deals with the personal data of European citizens living in the US or Canada. However, other laws, such as the Children’s Online Privacy Protection Act or the California Online Privacy Protection Act, may apply.
Thus, any American or Canadian company needs to comply with the GDPR regardless of size or revenue as long as it involves data subjects who are in the union.
However, businesses with less than 250 employees are not required to keep a record of their data-processing activities if those activities are unlikely to pose a risk to the rights and freedom of data subjects and if no special categories of data are being processed.
Defining and processing data
Processing of personal data of data subjects includes at least one of these two activities:
- The offering of goods or services to EU/EEA data subjects, whether or not a payment is required in the transaction.
- Monitoring of user behavior, as long as the behavior takes place within the EU/EEA.
Personal data is defined as any piece of information that can help identify an individual. This includes names, contact information, photographs, videos, as well as device details such as IP addresses, location data, and biometric information. A person’s e-mail address in a marketing list is considered personal data.
Special categories of personal data are mentioned in most privacy laws. That includes medical information and records, as well as children’s personal data.
Aside from these identifiers, the GDPR also covers the monitoring of user behavior. Among these are internet tracking by a website by using cookies and the use of algorithms that predict preferences for targeted advertising. Online businesses commonly use these strategies in boosting performance and website traffic.
Any online business or website that targets persons in the EU will need to comply with the GDPR if any of the conditions above are met.
The GDPR may apply to both the controller and the processor of personal data. As mentioned, the processing of personal data includes the collection, recording, organization, storage, retrieval, use, alteration, or disclosure of any data that can help identify an individual.
A collector, on the other hand, determines what to do with the data. A clothing business gathering email addresses for sales, and a marketing list is a collector. Shipping companies and third-party payment companies are processors of personal data.
Data processing also applies to internal company information. Large online businesses with agents or employees in the EU are also required to have measures for the handling, storage, transfer, and use of employee personal data.
Here are several scenarios to illustrate data processing activities and the GDPR:
- California-based specialty store ships electronics to Paris, Berlin, and other European cities. Because it is targeted to the EU, it must comply with GDPR.
- Montreal-based online tutoring service only caters to customers in the surrounding region. The personal data of individuals accessing the website from Europe is not covered by the GDPR as the website does not offer goods or services to EU/EEA data subjects.
- Canada-based freelance writer publishes in French and accepts commissions from French publishing houses. GDPR applies because the offer of service is made to data subjects in the union.
Enforcement of GDPR
Non-compliance with the GDPR comes with heavy consequences. Failure to meet requirements will lead to a fine of 4% of the annual global revenue or €20 million, whichever is higher.
For most purposes, the law mandates the appointment of a representative physically located within the EU/EEA to facilitate enforcement. In instances of non-compliance, any assets in the EU/EEA may be seized, including bank accounts and real estate.
For online businesses and websites that have no physical presence in the EU, international law will take effect. The European Union has mutual assistance treaties with many countries, including the US and Canada.
Compliance and key requirements of the GDPR
There are several layers of requirements to the GDPR. The first is to enact privacy policies that maximize user consent, agency, and data protection. The next is to ensure records of processing activities.
Here are some of the other key requirements expected of US and Canada online businesses targeting EU data subjects.
Strict consent conditions
The GDPR states that customer consent must be “freely given, specific, informed and unambiguous”, especially in the context of storage, use, and retention of personal data. For sensitive personal information, consent must also be “explicit”.
The customers need to be able to see and delete data that concerns them. Consent conditions must also be accessible on the website and not buried in legalese. Multiple processing activities cannot be processed under one bulk consent.
Transparency in the data processing
The GDPR states that data processing must be done “fairly, lawfully and transparently”. Policies regarding processing must be easily accessible and written in clear, intelligible, and plain language.
Data breach notifications within 72 hours
Individuals have the right to know about the security of their personal data. A breach refers to risk to fundamental rights. Any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to data must be reported to the relevant supervisory body within 72 hours.
Hiring a data protection officer (DPO)
Under the GDPR, all public authorities and all businesses involving large-scale data processing must appoint a DPO. The GDPR specifies the qualifications, duties, and characteristics of a data protection officer.
Data protection impact assessment
It’s crucial to understand the risks to the security and privacy of the data. This assessment comes with ways to mitigate such risks, as well as efforts to increase security like organizational safeguards and end-to-end encryption.
Protection by design and by default
Companies must use technical and organizational measures toward data privacy and minimization. These measures must be integrated into the design of a new project.
Records of processing activities
Aside from measures to be more transparent with customers, online businesses and websites should also keep a record of data processing activities. A record of any activity dealing with the use of personal data can also serve as a support of compliance with the GDPR.
The following are information which should be kept in record when processing personal data, especially sensitive information:
- Name and contact details of the controller or joint controller
- Name and contact details of the data protection officer
- Purposes of the data collection, retrieval, processing, etc.
- Description of categories of data subjects or users processed
- Description of categories of personal data
- Categories of recipients of the personal data, including those in the US, Canada, and other territories, e.g., shipping companies, payment companies
- Records of transfers of personal data to another country or an international organization, with documentation of suitable safeguards as needed
- Set time limits for retention and erasure of different categories of data
- A general overview of technical and organizational security measures
These records must be kept in writing, including electronically. They should be made available to the appropriate supervisory authority upon request.
Good practices for GDPR
Compliance with the GDPR should be a priority of any online business or website looking to deal with data subjects in the EU, whether or not they are based in the USA and Canada. After all, non-compliance carries a deep fine. The fine for noncompliance is 4% of the annual global revenue or €20 million, whichever is higher. The shockingly high amount made several headlines when announced for the first time.
However, the GDPR was only recently enforced in May 2018. As such, there are still several details regarding its application that have not been fully established. It will take some time for precedents to be set in place and for regulations to be clarified. As such, there is still some opportunity for US and Canadian online businesses to refine their approach to Europe’s privacy law.
In the meantime, courts are more likely to go after large-scale businesses that have shown gross negligence or extreme non-compliance with the GDPR before inspecting smaller businesses.
Early in 2019, Google made the news for being an example of GDPR in action. France’s data protection regulator, CNIL, issued Google a €50 million fine for non-compliance with GDPR, specifically on data consent policies. Data consent must be “freely given, specific, informed, and unambiguous”, according to GDPR.
Companies better start enacting good practices when it comes to data and privacy policies to prevent being caught in a regulatory nightmare. Some practices to consider seriously are:
Know the data
The first step for any American or Canadian business is to establish whether or not the GDPR applies to their operations.
Does the company collect, use, or store personal data on data subjects within the EU/EEA? What types of data are involved? Certain categories of data require stricter policies than others. Where is the data stored? Are there other joint controllers/processors involved?
Knowing the categories of data and their processing is a team effort. Members from the IT department, human resources, sales, and operations may all need to contribute to the creation of policies regarding personal data.
Check the guidelines
Online businesses and websites need to constantly be updated with the latest guidelines to prevent any legal issues.
The GDPR.eu is a convenient resource for organizations and individuals that want to stay updated regarding this data protection law. In the interim, several online businesses and websites have blocked off access from the EU while they develop policies and safeguards for GDPR compliance.
Keep records of processing activities
In cases when a company becomes subject to an investigation, records will ideally show how the proper risk mitigation efforts and notifications were made.
Aside from recording for accountability purposes, records also help in the development of a company’s data and privacy policies. Recording processing activities has the added benefit of supporting a business’ claims of attempting to be compliant with the GDPR.
Delete or anonymize data as soon as possible
As much as possible, personal data should be anonymized, pseudo-anonymized, or delete as soon as possible. Companies should refrain from retaining data that is no longer in use. The expected time of retention should also be disclosed to customers if possible.
Compliance with the GDPR is essential for US and Canadian online businesses and websites with clients within the EU/EEA. By knowing the requirements and setting good practices, there should be no problem in balancing both business interests and individual rights.
- November 4, 2019