Canada’s sluggish response to updating its privacy legislation to address the concerns addressed in the General Data Protection Regulation (“GDPR”) may jeopardize the adequacy status from which the country, and by extension companies regulated by the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), benefit. Add to this the prevailing uncertainty regarding whether organisations in British Columbia, Alberta, and Quebec benefit from adequacy status at all since these organisations are regulated by their respective provincial laws which have not received adequacy recognition, it might be a good idea for organisations that process information on European nationals to begin to take GDPR compliance into their own hands.
The following steps provide a brief overview of the measures an organization should take to become GDPR compliant:
• Appoint a Privacy Officer or, in smaller organisations, a go-to person for data protection.
• Create a data register in which the organisations’ departments (ie. human resources, marketing, finance, etc.) describe the data they process, the people or institutions within and outside the organisation to whom the data is transferred, retention and destruction procedures and safeguards.
• Prioritise compliance by ensuring that:
a. only necessary data is being collected;
b. the legal basis for data collection are respected;
c. clear and explicit privacy notices are drafted to inform individuals of how their data will be collected, stored, used, retained, and transferred;
d. suppliers and subcontractors are compliant and have signed agreements testifying to this compliance;
e. either model clauses are in place for documents involving data transfers between Europe and Canada or other accepted measures are being used;
f. data access, amendment, and take-down procedures are in place; and
g. data-breach response procedures are in place
• Conduct a privacy impact analysis to determine which data is at greatest risk and how to protect it.
• Establish processes including continuous general and targeted data protection training to ensure data is protected at all times by every member of the organisation.
• Document compliance (ie. save forms evidencing consent as well as data access / amendment / take-down requests and organisational responses to these)s
These measures are not impossible to implement. They demonstrate the value, however, of making data protection a governance mater so as to reduce exposure in the event local regulatory bodies are slow to respond to global trends.