GDPR: A Primer for Canadian Businesses

Europe’s enactment of the General Data Protection Regulation affects any entity anywhere that processes the personal data of EU residents. But what exactly does it mean for Canadian businesses and CPAs?

The world’s strictest data-protection law came into effect on May 25, 2018. The General Data Protection Regulation (GDPR) casts a much wider net than its predecessor the Data Protection Directive and has real bite. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). And citizens and special interest groups have the right to launch class action suits to be compensated for distress caused by contravention of the law.

A little background: In an increasingly data driven world, the GDPR was designed to:

  • harmonize data privacy laws for all companies operating in Europe regardless of where they are based
  • provide greater data protection to EU citizens and give them more control over their personal data
  • change the way organizations approach data privacy with an eye to ensuring transparency of the data they are collecting and how they are protecting it  

How to know if you’re subject to GDPR

A new report outlines the four groups affected by the GDPR. In effect, any Canadian business that ticks any one of the four boxes below must comply with the GDPR:

  • has offices or employees in the EU;
  • sells goods and services into the EU online (no physical footprint required, a website or mobile app will do)
  • collects Internet Protocol (IP) addresses and personal data of people in the EU to monitor their online behaviour;
  • processes the personal data of individuals in the EU on behalf of clients  

Once you’ve determined whether or not the GDPR applies to your organization, the next step is to assess to what extent it applies. There is a tiered approach to fines based on the seriousness of the infringements.

Personal data defined

Any information that relates to living, identifiable individuals in the EU falls under the GDPR. This includes name, home address, ID card number, IP code and health data. The rules apply as soon as personal data is collected, used and stored.

The biggest changes for Canadian businesses under GDPR

  • The conditions for consent have been strengthened. This means organizations will have to write/implement clear, easy to understand privacy policies and users have to agree to have their data used. Consent cannot be presumed. Users have the ability to withdraw consent and have their data deleted/erased. They also have the right to access and get a copy of their data and move it to another platform
  • Companies must have a well-defined purpose for collecting data and must notify users if new purposes for processing their information arise and if they are sharing their information with entities outside the EU. Businesses must also share with users if algorithms are used to make decisions about them and give them the ability to contest if that’s the case.
  • It is now required to conduct data inventory and keep records of all internal and third-party processing of personal data as well maintain a breach ledger and to report any data breaches.
  • It is now mandatory for companies to conduct data protection impact assessments for technology and business changes and implement privacy by design.
  • Companies have to appoint a data protection officer to ensure compliance.

To learn more about privacy and cybersecurity and the role you can play as a CPA to keep data safe, take advantage of these professional development offerings:

Essentials of Online Security and Privacy for CPAs
Virtual classroom | October 10, 2018 | 12 to 2 p.m. EST | 3 CPD hours

Introduction to Cybersecurity for CPAs

On-demand | 5 CPD hours

Success Podcast Series – IT and Innovation
On-demand | 2 CPD hours