Why does my organization need to get ready?
The General Data Protection Regulation (GDPR) is a new data protection law that will apply across the European Union (EU) and impact organizations across the world as of May 25, 2018.
Organizations outside of the EU are required to comply with the GDPR if they process personal information of EU residents (e.g. if they offer goods or services to, collect, store or handle personal information of, or monitor the behaviour of EU residents).
As such, almost any organization with an internet presence may be impacted.
The GDPR contains significant fines for non-compliance – up to €20 million or 4% of annual worldwide revenue. In addition, the GDPR includes statutory rights for individuals who have suffered damages to seek compensation from organizations, and for public interest organizations to bring class actions on behalf of such individuals. Damages are not strictly limited to financial loss, and may also be available for non-financial loss (e.g. distress, reputational damage).
What are the immediate steps my organization needs to take?
Organizations impacted by the GDPR need to at a minimum take the following steps before May 25, 2018:
- Develop and implement an external privacy statement/supplement for EU residents setting out specific additional practices/rights. Such statements would typically be linked to from an organization’s existing external privacy policy on the organization’s website.
- Review and update websites and other contact points where personal information from EU residents may be collected to ensure that appropriate consent is obtained.
- Review and, where appropriate, update contracts with third-party service providers, including via development and implementation of privacy terms/a privacy supplement for contracts regarding products or services being offered in the EU or where there may be collection of, access to or storage of the personal information of EU residents. Additional requirements or terms may typically be added via an addendum to existing contracts.
- Review and update internal privacy policies and procedures to enable organizations to meet the GDPR requirements. In many cases this will include developing and implementing an internal privacy breach procedure. This latter step should also keep in mind that mandatory breach notification will be required in Canada as of November 1, 2018 for organizations whose privacy practices are governed by the federal government’s Personal Information Protection and Electronic Documents Act (otherwise known as PIPEDA).
- Review and update security safeguards used by the organization, including technical and organizational measures used to safeguard data, in order to ensure adequacy and facilitation of compliance.
MLT Aikins has developed template documents to assist organizations in implementing these immediate steps as part of their GDPR compliance project, which can be customized in a cost-effective manner.
Organizations with a significant EU presence will need to undertake a more detailed review of their GDPR related obligations and implement additional steps. MLT Aikins can assist such organizations in doing so.
For more information on the GDPR and how your organization can prepare for the GDPR, please see our GDPR Information Sheet and previous blog post.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.