Canada is Imitating EU’s GDPR, New Policy Takes Effect On Nov 2018

Canada has apparently imitated European Union’s GDPR, that is the latest news from the country’s Office of Privacy Commissioner of Canada (OPC). Under the new policy, starting November 2018, all companies operating in the Canadian territory are mandated to report breaches that happened in their organization to the OPC.

The OPC through its directive is also forcing companies that experienced security breaches to contact the owners of the stolen information ASAP. Informing them of their options and giving them mitigation steps on how to lessen the impact of the hacking event. Likewise, firms are ordered to maintain two-years worth of breaches record for later auditing of OPC. The agency is set to slap the corporate violators with Canadian $100,000 fine for each instance of data breach offense.

Security researchers like Alex Cameron, Fasken Martineau DuMoulin’s Chair of Cybersecurity has expressed his confidence that Canadian’s large companies are very much ready for 100% compliance with the new regulation. He, however, expressed pessimism about the readiness of SME’s (Small and Medium Enterprises). Corinne Pohlmann, SVP for National Affairs of the Canadian Federation of Independent Business echoed Cameron’s point: “I doubt most small-business owners even know these new rules exist. Privacy is low on the radar for many small-business owners. Nonetheless, we are going to make sure they are aware.”

Some companies are seeking clarification about the OPC’s ruling, as they need to implement massive changes with their operations, let alone setup enough funding for such compliance endeavor. “The moment they notify in high-profile cases, within 24 to 48 hours, there’s class-action litigation. We’ll see a bit of an increase initially, you’ll see the pendulum swing back to a more balanced situation.”

The academy has also stated its opinion on the issue, as Michael Geist, University of Ottawa’s Law professor stated: “If every breach resulted in a notification, the public would become numb to them. There may be others that cause harm and the public is kept in the dark.”

It is apparent that GDPR has been a very critical regional law in the EU-member states, which made other countries emulate its effects in their own respective categories. Under GDPR the following are the goals:

• Enhanced rights for data subjects – the right to object to certain types of profiling and automated decision-making, and to request that unnecessary personal data is deleted.
• Enhanced obligations for organizations – such as publishing detailed fair processing notices to inform individuals of their data protection rights, the way their information is used and for how long.
• Stringent consent requirements – consent must be explicit, freely given for a specific purpose and easy to retract.
• Stricter breach reporting – significant data breaches must be reported to regulators within 72 hours and sometimes the individual, too. Increased privacy impact assessments – organizations must formally identify emerging privacy risks, particularly for new projects.
• Privacy by design – organizations must design data protection into new and existing business processes and systems.
• Increased record keeping – organizations must maintain registers of the processing activities they carry out, with mandatory DPIAs for high-risk data processing.
• Significant penalties – the potential size of fines for non-compliance will be considerable, reaching €20million or up to 4% of turnover, whichever is greater
• Appointing DPOs – appointing a data protection officer will be mandatory for many organizations.
• Wider regulatory scope – the new regulation will apply to both the data controller and the processor.