Transcript – Episode 1: Navigating the EU Data Protection Regulation
- What is the GDPR and how can it apply to Canadian companies? (2:35 - 9:16)
- International data transfers (9:17 - 10:22)
- The six principles of the GDPR (10:23 - 15:44)
- The obligation to appoint an EU representative (15:45 - 19:31)
- The obligation to appoint a Data Protection Officer (19:32 - 22:10)
- A compliance checklist (22:11 - 24:11)
- Why should you comply with the GDPR? (24:12 - 25:57).
Welcome to the Canada2Europe Trade Chats, the podcast dedicated to helping Canadian companies export and expand their business to the European Union. Every month, we invite experts to provide market and sector insights as well as practical tips to help Canadian companies do business in the European Union.
Jane Murphy Hello and welcome to this podcast. The objective of today's podcast is to understand the impact of the General Data Protection Regulation, also known as the GDPR. This regulation, although European, applies to companies outside the EU, including Canadian companies. Today, we're gonna cover three main questions. What is the GDPR? Are you concerned by this European regulation? And if so, what are your obligations? And thirdly, where and how do you start your compliance journey? My name is Jane Murphy and I am the founder and chair of European Data Protection Office, also known as EDPO. I was born in Quebec City and I grew up in both Montreal and Quebec City. And I came to Brussels just over 26 years ago to do an LLM in international and European law. And I've been living here ever since. So I'm a lawyer and I'm specialized in data protection law and business law. I'm really delighted to be here today to talk to you about the impacts of the GDPR for Canadian businesses. But before we start, I'd also like to introduce you to my co-host, Melanie. Melanie, could you please introduce yourself?
Mélanie Gagnon Yes, hello, Jane. Hello, everyone. I'm very happy as well to be here. My name is Mélanie Gagnon. I'm from Quebec City and I've been in Luxembourg for five years now. I'm the President and Founder of MGSI, a data protection consulting firm established both in Quebec and Luxembourg. We help organization comply with the GDPR and we act as official external DPO for public and private organizations. And obviously, as a Canadian citizen, it's important to me to help Canadian companies understand the GDPR and to comply with it.
Jane Murphy Super thank you Mélanie. so okay let's start at the beginning. What is GDPR and how can it apply as a European regulation to Canadian businesses? So the GDPR was adopted in 2016, but it applies since the 25th of May 2018. So companies were given two years to comply. So the GDPR is applicable not only throughout Europe, but also outside of the EU borders, so worldwide, including Canada. And the purpose of the GDPR was to strengthen both the rights of data subjects and the obligations of data controllers and of data processors. So you're probably thinking, so I'm a Canadian company, why is it important to comply with the GDPR? Well, because, among other things, there are significant sanctions for non-compliance. There are, of course, you know, the significant financial penalties, which can amount to as much as 20 million euros or four percent of global annual turnover. But there are a whole bunch of other penalties that people kind of forget about, and they can sometimes even be more damaging to your company's business than the financial penalties. So let's take, for example, supervisory authorities in Europe can order you to actually stop the processing of personal data. They can order the deletion of the data. They can investigate your company. And they can stop international data transfer and a whole bunch of things like that. So it's really a regulation that should be taken seriously all over the world, actually, and not just in Europe. So when we talk about the GDPR, are what are we talking about? So basically it's data that covers an information relating to an identified person or an identifiable person. So it doesn't only includes data such as names and surnames and email addresses, but also includes other data that we don't normally think about, like location data, IP addresses and online identifiers and things like that. And contrary to what most people think, the GDPR also applies to B2B relationships. So we get that question a lot. Well the GDPR is about personal data. So it doesn't apply to us as a business, but it does apply to B2B relationships because email addresses, unless it's a generic address like info or support customer, it always contains the personal name of a person, even if it's in a professional context. So as you can see, the scope of the GDPR bar is very, very large. The GDPR also covers what is called special categories of personal data. So that's data that's considered more sensitive. So data relating, for example, to racial or ethnic origin, biometric data or health data, which today with the health crisis is something that's very at the forefront. It's called special data due to the sensitive nature of the data. And because of that, it has to be given greater protection. So you have to really keep that in mind when you're thinking about your GDPR compliance project to see, you know, what is regular data and what is sensitive data. So now we'll have a look at what's the territory. So why would this EU regulation apply to you as a company located in Canada? There is a myth going on about the extent of the scope of the GDPR in terms of who it covers. A lot of people think it only covers European residents or European nationals. Actually, the GDPR covers data of anybody who is in Europe at the time that they provide their data. If you're a Canadian company and there's a Canadian in Europe on vacation who provides their data through your Website on the contact form or orders a product or services on your company Web site, that person will still be covered by the GDPR because there are in Europe at the moment that they provide their data. So, again, here we see how vast and broad the scope of the GDPR is. In general, the GDPR applies to non EU companies, regardless of their size, that provide goods or services to persons in Europe, regardless of whether or not payment is required for those persons. So if you're charitable organization and nonprofit organization, you can still fall under the scope of the GDPR. And it also applies to companies that monitor the behavior of such persons in so far as the behavior takes place in the EU. So here again, we're talking mainly about cookies and things of the same sort. So as you can see this, it's really broad scope, but it's not always clear to know when or how you fall as under the GDPR as a non EU company. So Melanie's going to walk us through now a series of questions that you can ask yourself that you can check to see, you know, if you fall under the GDPR. So, Melanie, can you run us through those questions, please?
Mélanie Gagnon Yes, of course, Jane. So let's go over a few simple questions to verify whether your organization falls under the scope of the GDPR. It's important to point out that a single positive answer does not alone determine the applicability of the GDPR. You must analyze your entire situation. And this should be done, of course, on a case by case basis. So the first question is, do you promote your services to people within the EU, like through a website? And of course, it's not because your website is accessible to people in the EU that you must comply to the GDPR. Several criteria can determine whether you are targeting these individuals. The first one is your Web site, translated into several languages spoken in the EU, like German or Dutch. Do you use a European domain name like .eu, .be for Belgium, .lu for Luxembourg? Do you allow payment in euro or other European currencies? And do you deliver your products within Europe? And can people within the EU fill in contact forms, apply for a job or subscribe to your newsletter? Do you attract people's behavior on your website by using infamous cookies, for instance, or do you perform profiling through your website? Or do you perform predictive analysis of people's behavior, preferences, habits, et cetera. And there's some other questions, naturally, than the website. Do you have any employees within the EU? Does your organization act on the behalf of a European organization? Are you data processor of a European company? If so, it's important to understand that those companies have an obligation to engage with data processors offering sufficient guarantees. And we have to formalize this relationship through a written contract, including audits of the compliance by the said company.
Mélanie Gagnon So the fourth principle is a accuracy so personal data should be accurate and kept up to date. All reasonable measures should be taken to rectify or delete inaccurate data because processing inaccurate data can lead, of course, to false outcomes. The fifth one is the overlooked principle: storage limitation. We can't keep data forever. Personal data must be stored for a limited duration and deleted after they are no longer necessary. However, they can be stored for longer period when processed for archiving, statistical, scientific research or historical research purposes. But only if the appropriate technical and organizational measures are implemented like pseudonymization. The main new principal of the GDPR is accountability. The controller or processor should be able to demonstrate their compliance. So they must be able to demonstrate to the supervisory authorities that the processing of personal data has been done according to the provisions of the GDPR. This principle implies that you have to keep records of processing activities and a record of every data breaches and that you have to document and justify every decision that you take regarding personal data. The principle of integrity and confidentiality is linked to another requirement of the GDPR. Which is information security. It's obviously a crucial element data protection. And both the GDPR and information security are founded on a risk based approach. So in this context, controller or processor must take appropriate technical and organizational measures proportionate to the risk identified. Are these measures to protect personal data against unlawful or unauthorized processing disclosure lost or accidental damage? There's two additional requirements linked to the risk based approach, which are the data protection impact assessment and the privacy by design and by default. This means that data protection must be integrated at the very beginning of any project and throughout its entire existence. Using, of course, the risk based approach. So we've seen the principle of the GDPR, now let's talk about obligations. So, Jane, can you tell us about the obligation to appoint an EU representative?
Mélanie Gagnon Yes, of course. The DPO is the person in charge of the protection of personnel data processed by any organization. The controllor or processor must appoint a DPO in 3 cases, if the processing activity is done by a public sector company, even outside the EU. Companies, which as part of their core business carry out regular and systematic large scale monitoring of the data subjects, think about tracing applications in the context of Covid. And the third case in which companies have to appoint a DPO is when they process sensitive data, you remember like healthcare data, biometric data or data relating to criminal convictions also on a large scale. One thing to keep in mind is that these rules are applicable regardless of the size of the entity. So even a startup of two employees must appoint a DPO, if it fulfills one of these criteria. But concretely, what's a DPO, he or she is the pilot of GDPR compliance. But the DPO is not personally responsible for not compliance with data protection requirements. The responsibility lays up on the controller or the processor. But what are the main tasks of the DPO? The DPO inform and advise the controller and processor about the regulation, monitor and audit compliance with the GDPR and other applicable data protection laws. Educate and train all staff member. Provide advices to the controller for the data protection impact assessment. And is the contact point of the supervisory authority and can be contacted directly by data subjects. The DPO can be an employee or perform his missions under a service contract like an external DPO. But it's strongly recommended by the European Data Protection Board for the DPO to be on the EU territory and he must be independent within the organization. On the contrary of the representative, the DPO does not receive any instruction concerning his mission. And finally, missions as DPO must not result in a conflict of interest, the DPO cannot have operational tasks and audit at the same time. And he can be a member of the management Committee.
Jane Murphy So, Melanie, maybe you can tell us where do we start with compliance? Because, you know, it's already challenging for EU companies, but even more for non-EU companies because they're so far away from the GDPR as a regulation, where do they start with their compliance?
Mélanie Gagnon It can be really scary, of course, but it doesn't have to be and it doesn't have to cost a fortune. If you apply the risk based approach and take it a step at that time, it can be a manageable project at a reasonable cost. One thing to keep in mind is that only the processing activities that relate to EU personal data must be compliant with the GDPR. So, for example, if all your employees are in Canada, you don't need to comply with the GDPR for all your H.R. processes. So let's go through an action list for your GDPR compliance. The first thing is to do an inventory in order to identify aspects that do not comply with the GDPR and establish a pragmatic action plan which can include the appointment of a DPO, the appointment of a representative within the EU. You must as well verify compliance of the policies, procedures, registers and bring into compliance your websites accessible from EU. Establish or update all your contracts with debt processors. And verify, of course, every security measure, the technical and organizational measures, the last one and not the least, train and raise awareness among employees to the good practices and principles of the GDPR.
Jane Murphy Yeah. I think the last one is a very important one, Melanie, especially given the fact that recent studies show that between 70 and 80 percent of data breaches are caused by employees. So, you know, not necessarily with a malicious intent, but nevertheless something to be kept in mind. So to conclude, why should you comply with the GDPR? I think the message we like to bring across today is that it's not simply a question of avoiding sanctions. Compliance with the GDPR also offers a lot of opportunities for companies in terms of competitiveness, partnerships, consumer confidence and just, you know, all around good reputation because the GDPR is one of the highest or I think it is the highest data protection standard in the world. So if you're compliant with the GDPR, you'll also be compliant with the rest of the world, it is kind of like data protection compliance passport. So that's the end of our overview of the impact of the GDPR for Canadian businesses. Thank you so much to the Canadian embassy for inviting us. And of course, we remain at your disposal if you have any questions about how to comply with the GDPR. Thank you.
For more information, please contact the Canadian Trade Commissioner Service. We have more than 25 offices across Europe that can help you to identify opportunities and grow your business in all 27 Member States of the European Union as well as the rest of Europe. We encourage you to visit our website at tradecommissioner.gc.ca and get our extensive network of business development professionals working for you.
- Date Modified: