Canadian business may face sanctions under EU’s new privacy law
May 25, 2018
The EU’s General Data Protection Regulation covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.
Any Canadian business that collects personal information about residents of the European Union — whether they’re tourists, students or online customers — risks maximum fines of $30 million or more if they violate a sweeping new EU privacy law that takes effect Friday.
But privacy experts say many small- and mid-sized Canadian companies have only recently become aware that they may be covered by the EU’s General Data Protection Regulation, which was adopted by the 27-country regional government in 2016 with a two-year delay before enforcement starting on May 25, 2018.
“Anybody that is collecting personal data from European residents — not only citizens — needs to comply with this,” Ale Brown, founder of Kirke Management Consulting, said in a phone interview from Vancouver.
That’s equally true for a boutique fashion company selling purses, a university with students from a European country or a website using cookies or other information tracking features, she said. The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.
Besides having potentially hefty fines, the GDPR’s scope is also sweeping.
It covers everything from giving people an opportunity to obtain, correct or remove personal data about themselves, to outlining rules for disclosing security breaches, to providing easily understood privacy policies and terms of service.
One of the criticisms of GDPR has been that it could impose higher administrative costs on every company that wants to comply with the rules — plus the potentially devastating impact of being hit with a fine for violating the law.
Brown said many of her larger clients have been grappling with the legal and operational implications of the GDPR for 18 months or more, but others have only recently become aware that they need to be ready too.
A top priority for them, she said, is to respond quickly if somebody requests access to their personal information or corrections to what’s on file about them — both rights recognized by the GDPR.
“Smaller businesses in Canada may fly under the radar for awhile, because the supervisory authorities are going to have to prioritize, but if somebody lodges a complaint — they’re going to come,” Brown said.
Psychlinks Web Services has already taken steps to ensure that our clients are being brought into line with GDPR regulations and we will continue evaluating your websites for further updates.