Welcome to our Motion – Discussing what matters video series, where our experienced lawyers provide timely analysis on hot issues relevant to Canadians.

This latest episode focuses on the European Union's far-reaching General Data Protection Regulation (GDPR), which took effect in May.

The Canadian chair of our technology and outsourcing practice team, partner Robert Percival, explains what your company needs to consider if it is impacted by the legislation, but not yet compliant.

And he discusses upcoming changes to Canadian data privacy regulations.


Does my business need to worry about the GDPR?

The short answer is yes. Canadian organizations do need to be concerned about the possible application of the GDPR, which is short for the General Data Protection Regulation, and which was implemented in May of 2018. The GDPR generally applies to EU organisations which are collecting or processing personal information but it also has a significant extraterritorial application and can apply to organizations outside of the EU including Canadian organizations. As a consequence, Canadian organizations really need to determine whether or not the GDPR applies to their operations and if it does whether its existing data protection practices and procedures comply with the requirements of the GDPR. Any non-compliance will require the adoption and implementation of more stringent procedures and practices in order to meet the more stringent requirements of the GDPR. Finally it's important to note that non-compliance with the GDPR requirements bears significant potential penalties of up to 30 million dollars. So it's important for Canadian businesses that may themselves be subject to the GDPR to ensure that they are in fact compliant.

How do new Canadian mandatory breach notification requirements compare to the GDPR?

The federal Government recently amended the Personal Information Protection and Electronic Documents Act, also known as PIPEDA, to provide for mandatory breach notification to both individuals and to the federal privacy commissioner in the event of a data breach involving personal information that has a risk of significant harm to the affected individuals. These amendments also required organizations to create and maintain a registry of data breaches involving personal information. In implementing these amendments, the Government sought to harmonize Canadian data protection legislation with new requirements imposed by the General Data Protection Regulation adopted by the EU in May of 2018. Under the GDPR, organisations are similarly required to report both to the applicable regulatory authorities, but also to individuals, the occurrence of a data breach where risk of significant harm occurs. As a consequence, Canadian organisations that are either subject to PIPEDA or, and or the GDPR, should immediately implement and adopt a compliance strategy that addresses both the new mandatory breach reporting obligations as well as their obligations to create and maintain a data breach.

How should Canadian businesses approach recent changes in Canadian and European privacy laws?

I think Canadian organizations should really look to the GDPR for inspiration when considering updating current practices and policies relating to data protection. While notable differences remain under obligations existing under Canadian law versus obligations under the GDPR, I think that Delta will continue to close over time particularly as Canada seeks to continue to maintain its adequacy standing under the GDPR in order to ensure the continued flow of information between the EU and Canada. As a consequence, I think for most Canadian organizations a sound business strategy will be to adopt practices and policies concerning data protection that are much more in line with the existing requirements under the GDPR as opposed to lesser standards that are enforced under existing Canadian privacy laws.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.