GDPR and Canadian Business: Be prepared
Europe is ready to implement perhaps the world’s most stringent privacy regulations next May. It will have wide-reaching impact on Canadian firms, too
By: Dan Finerty, Pre-sales specialist, Data Management, SAS Canada and Mike Luke, Solution Executive, SAS Canada
As business becomes ever-more an international concern, Canadian business has many issues to keep abreast of—mores of social interaction, foreign business practices, and, perhaps most significantly, bodies of legislation and regulation that govern the conduct of commerce. Running afoul of the latter can be an expensive proposition, both in terms of monetary cost and reputational cost.
Europe has long been the vanguard of privacy protection for its citizens. In 1978, France passed the Data Protection and Liberties Act, providing for a fine of about $5,000 (CDN) and a jail term of up to six months for any person, company or government agency receiving or processing personal information without consent. Germany enshrined the right of informational self-determination—the right of the individual to control the fate of his or her private data—in its constitution. Convention 108, signed into law by the member states of the European Union (EU) in 1981, became the first international policy outlining the principles of privacy and data protection. 
Europe is preparing to embark on even more stringent regulations protecting the privacy of personal data collected and processed by companies, agencies and individuals. The General Data Protection Regulation, or GDPR, takes effect May 25, 2018. This far-ranging data protection regulation applies not just to EU-member countries, but to businesses and governments anywhere in the world that deal with a European market.
GDPR will change the privacy law landscape for any Canadian organization that deals with the personal information of European Union citizens.
Baker & McKenzie LLP
GDPR at a glance
“GDPR will change the privacy law landscape for any Canadian organization that deals with the personal information of European Union citizens,” says Dean Dolan, Toronto-based counsel in the International Commercial Practice of law firm Baker & McKenzie LLP. “It will require Canadian organizations to up their game on privacy compliance, because any Canadian company that deals with even a small amount of EU-citizen data is vulnerable.”
Not only is the regulation more stringent than ever before, the consequences of violation are a far cry from 1978’s slap on the wrist. Penalties for non-compliance can reach 20 million euros--$30 million (CDN) at the time of publication—or four per cent of annual revenues.
GDPR is based on the guidance principle of personal ownership of private information. Citizens have the right to:
- Access their personal data
- Know how it’s being used
- Ask for errors to be rectified
- Restrict processing of their data
- Obtain and reuse their personal data
- Object to certain uses
- Request the removal of data (the “Right to be Forgotten”)
- Request an explanation about automated decisions
For their part, businesses must be able to show that data is secure; that appropriate governance and controls are in place; that data use is transparent, appropriate, fair, and permitted by the owner; that there are measures in place to minimize and correct errors; and that they are prepared to respond to a potential breach.
The first hurdle in the race to GDPR compliance: Identifying what’s personal information.
The Challenge: Where do we start?
Very few, if any, enterprise systems are built and launched as a single entity. Separate elements are created on an as-needs-be basis, as new products and offerings come on line, as new business processes are dictated, legacy systems demand updating and remediation. These separate elements are usually created by separate developers, and often have different taxonomies. So even the most elementary personal information can pose a challenge to disparate systems. Is the Marc Smith in System A the same person as the M. Smith in System B, or the Marcus Smith in System C?
Even that can be a best-case scenario. In the past, customer records were largely in databases and consumed by a variety of enterprise-level applications. With a new and ever-expanding scope of touchpoints—e-mail, social media, near-field communications (NFC), applications that track location by global positioning system (GPS) or point-of-sale—personally identifiable information can turn up in heretofore unthought-of repositories. And it’s also being processed by applications in cloud and Big Data environments that are relatively new to the enterprise.
So, obviously, it’s a data management issue. Or is it? Actually, several perspectives come into play.
It’s a data management issue. We can’t begin on our GDPR journey without a comprehensive inventory of the data that is collected by, stored in, and used by those disparate systems. Can we classify that data as personally identifiable and private? Can we map that data to the downstream systems that extract and consume it, and the security of those systems? Do those systems allow unencrypted transfer of that information by online downloading to personal systems, storage on CD or other media, or export to USB keys? It all starts with clean, tagged, mapped data with a consistent taxonomy.
It’s a legal issue. But what constitutes private data and its justifiable, permitted use? The legal department has to take the lead on this front, interpreting the regulations to advise on what types of information could be considered personally identifiable and private, what uses—both individually and in aggregate—are legitimate, and what constitutes permission from the customer. Legal will also play the most significant role in the design of governance and compliance mechanisms, and how they can be served by the data schema.
It’s a business process issue. Line-of-business’s expertise is in how data is handled, by whom, and for what purposes. LoB is also expert in the logistics of procuring and managing permissions and opt-outs from the customer experience. Although GDPR touches every line of business, it’s a more onerous proposition for sales and marketing, who deal one-on-one with customer information, than, say, logistics, whose role is usually post-permission, or finance, which is generally dealing in aggregated information.
Steps to GDPR competency
When the rubber meets the road, it’s a leadership issue. There are too many facets to the GDPR-readiness to leave it to the direction of one department. So the first step on the road to GDPR compliance is to build a practice devoted to the task—an uber project management team, if you will. Leadership and support personnel from IT, data processing, legal, affected lines of business and the executive should be appointed to the project to ensure all perspectives are represented.
The goal is to architect a system that not only responds to the challenges of GDPR-compliance, but also has the flexibility to respond to a changing privacy seascape—privacy regulations aren’t going to become less stringent in the future. This is called Privacy by Design (PbD), a framework created by three-term Ontario Privacy Commissioner Ann Cavoukian, now the Executive Director of Ryerson’s Big Data and Privacy Institute.
It is a universal concept that was pioneered here in Canada by Ann Cavoukian, based on the premise that privacy should be embedded into the design and operation of IT systems, networked infrastructure and business practices. It is supported by 7 Foundational Principles.
Privacy by Design has the world’s attention: regulators at the 2010 International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a resolution recognizing it as “an essential component of fundamental privacy protection.” Since then, it has been translated into 38 languages, giving it a true global presence. It is snow law under the pending GDPR.
“This was intended as a proactive measure to prevent privacy harms from arising,” Cavoukian says. Often, security and privacy are viewed as competitors in a zero-sum game; that’s a “false dichotomy,” Cavoukian says. “You can have privacy and security; privacy and data analytics, — not one to the exclusion of the other, involving unnecessary tradeoffs”
An architecture with that kind of flexibility is not just a response to the challenge of more restrictive privacy regulation; it also can serve as a foundation for driving competitive advantage. It is, on a basic level, simply good business process.
The third leg of the stool is a demonstrably effective governance and compliance regimen that can establish how data is collected and used, provide a trail from collection to consumption of data, and which can be rigorously audited. To this end, Deloitte launched a Privacy by Design Certification Program exclusively with Ryerson. Deloitte operationalized the 7 Foundational Principles by developing 30 measurable criteria and 107 illustrative controls that aim to help organizations assess against these principles, implement and track performance, and better manage risk.
“It’s a holistic, risk based approach to privacy and data protection because it considers people, process, technology and governance controls in relation to the full data life cycle – from beginning to end,” says Sylvia Kingsmill, Partner at Deloitte Canada who launched the Program with Ann. “It also underscores the importance of security protection to prevent unauthorized access, while assessing how well an organization respects the end user through consent, choice, transparency, data minimization techniques, and other privacy enhancing design choices.”
Compared to many jurisdictions, Canada has a head start in the race to GDRPR compliance. Canada is an acknowledged leader in privacy regulation. Banking regulations have elevated requirements for data governance; anti-spam legislation has taught enterprise about what constitutes valid co sent for data use. We have advanced regulation on the portability of data (data collected in Canada stays in Canada).
But there’s still some distance to go to meet European standards, and that’s not optional for Canadian businesses with subsidiaries in Europe, or which conduct a significant amount of business with European companies or individuals.
Whether you’re starting from the beginning or overhauling your existing privacy systems, you’ll also want to think about the following when it comes to GDPR Readiness:
- Whether you have a chief privacy officer at the executive level.
- How to treat privacy as a risk-management issue, not a compliance issue.
- Sharing the responsibility for privacy across the organization and avoiding the siloed behaviour that happens between the security and privacy functions. At the start of the process is when architects, engineers, app developers, privacy and security officers should collaborate on design choices.
- What type of data you collect, where and how you are storing it.
- Being accountable for the privacy of your data no matter what. Responsibility can’t be outsourced, so you must ensure any third-party vendors are as stringent about privacy as you are.
To comply, you’ll need to know how the GDPR defines personal data, where it’s located in your business, how it’s used, who can access it, and much more. Learn how data management software and services from SAS can help at all stages of the data protection life cycle in this whitepaper and attend this webinar.
Dan Finerty, Pre-sales specialist, Data Management, SAS Canada is a 30 year veteran in the Information Management discipline. He is currently responsible in for providing guidance to customers to maximize their return on investment in Advanced Analytics through the strategic deployment Data Management capabilities.
Mike Luke is a member of the Strategic Alliances group in SAS Canada. Through key industry partnerships, evangelizes how the use of data and advanced analytics can help organizations reach their highest potential.
 “France maintains long tradition of data protection,” Deutsche Welle (DW), January 26, 2011.