skip to main content
Back to all blog posts

Posted in: Data Security/Privacy | CASL | GDPR | Data Protection

Jul 21, 2017

With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR?

With Less Than One Year Before GDPR Takes Effect, Make Sure Your Organization is Ready

By Paige Backman and Aaron Baer

In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who feared frivolous million dollar lawsuits, compliance with CASL is still a reality for businesses. As we discussed on the Spotlight in April, the three federal agencies that enforce CASL still have the authority to impose administrative monetary penalties against businesses.

However, lost in all the CASL attention is the pending introduction of the European Union’s General Data Protection Regulation (GDPR). Just as businesses scrambled to become CASL compliant prior to July 1, 2017, there is no doubt that the same scramble will take place as businesses turn their attention to the GDPR.

If your organization offers goods or services to residents of the European Union over the Internet, or processes the personal data of any such European Union residents, your organizational will likely be required to comply with the GDPR, even if your organization has no physical presence in the EU.

The GDPR, which is expected to come into force on May 25, 2018, imposes a number of additional burdens on organizations, and the penalties for breaches are steep: up to 4% of annual worldwide turnover (revenue).

The new rules contained in the GDPR include:

  • requirements to obtain unambiguous consent;·obligations to report data breaches within prescribed time periods;
  • contractual and other obligations between a data collector and data processor;
  • special consent requirements for the collection of children’s data and special  protections for children’s personal data (this can particularly impact social media, users of mobile apps and education industry); and·new terms required to be included in privacy policies (which must be written in clear and plain language).

As Paige Backman, Chief Privacy Officer at Aird & Berlis, noted in a recent article for Bloomberg Law, the GDPR has the potential to significantly alter business structures and processes for companies outside the European Union. This is catching many businesses by surprise.

The Canadian Parliament’s House of Commons Access to Information, Privacy, and Ethics Committee has been reviewing Canada’s PIPEDA to assess whether changes to PIPEDA are required, including whether PIPEDA needs amendments to accord with the GDPR. If PIPEDA is not deemed to offer sufficient protection to the GDPR, our business relationships in the EU and Canadian businesses’ abilities to process EU data may be compromised. Paige Backman provided testimony to the House of Common’s Privacy, and Ethics Committee on recommending changes to PIPEDA, including certain changes that would accord with the GDPR requirements.

The Privacy and Data Security Group at Aird & Berlis is well-equipped to help your business prepare for GDPR. For more information, please contact Paige Backman, Aaron Baer or any other member of the firm’s privacy team.

Areas of Expertise

Related Blogs

Posted in: GDPR | Data Security/Privacy | Data Protection

Insights TheSpotlight
GDPR Now in Force Has Worldwide Reach By Paige Backman and Ara Dungca Jun 19, 2018 The General Data Protection Regulation was implemented on May 25, 2018. While it officially only affects European citizens, it has worldwide effects. As discussed previously on The Spotlight, any organization offering goods or services to residents of the European Union are expected to comply wit...

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Notifying Consumers of Data Breaches: New Regulations By Stephen Crawford Apr 24, 2018 The federal government has introduced new regulations setting out what information must be disclosed to consumers and to the Privacy Commissioner after a data breach. These regulations will take effect on November 1, 2018.

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.