Language selection

Search

Transcript – Episode 1: Navigating the EU Data Protection Regulation 

  • What is the GDPR and how can it apply to Canadian companies? (2:35 - 9:16)
  • International data transfers (9:17 - 10:22)
  • The six principles of the GDPR (10:23 - 15:44)
  • The obligation to appoint an EU representative (15:45 - 19:31)
  • The obligation to appoint a Data Protection Officer (19:32 - 22:10)
  • A compliance checklist (22:11 - 24:11)
  • Why should you comply with the GDPR? (24:12 - 25:57). 

Welcome to the Canada2Europe Trade Chats, the podcast dedicated to helping Canadian companies export and expand their business to the European Union. Every month, we invite experts to provide market and sector insights as well as practical tips to help Canadian companies do business in the European Union.

Jane Murphy Hello and welcome to this podcast. The objective of today's podcast is to understand the impact of the General Data Protection Regulation, also known as the GDPR. This regulation, although European, applies to companies outside the EU, including Canadian companies. Today, we're gonna cover three main questions. What is the GDPR? Are you concerned by this European regulation? And if so, what are your obligations? And thirdly, where and how do you start your compliance journey? My name is Jane Murphy and I am the founder and chair of European Data Protection Office, also known as EDPO. I was born in Quebec City and I grew up in both Montreal and Quebec City. And I came to Brussels just over 26 years ago to do an LLM in international and European law. And I've been living here ever since. So I'm a lawyer and I'm specialized in data protection law and business law. I'm really delighted to be here today to talk to you about the impacts of the GDPR for Canadian businesses. But before we start, I'd also like to introduce you to my co-host, Melanie. Melanie, could you please introduce yourself? 

Mélanie Gagnon Yes, hello, Jane. Hello, everyone. I'm very happy as well to be here. My name is Mélanie Gagnon. I'm from Quebec City and I've been in Luxembourg for five years now. I'm the President and Founder of MGSI, a data protection consulting firm established both in Quebec and Luxembourg. We help organization comply with the GDPR and we act as official external DPO for public and private organizations. And obviously, as a Canadian citizen, it's important to me to help Canadian companies understand the GDPR and to comply with it. 

Jane Murphy Super thank you Mélanie. so okay let's start at the beginning. What is GDPR and how can it apply as a European regulation to Canadian businesses? So the GDPR was adopted in 2016, but it applies since the 25th of May 2018. So companies were given two years to comply. So the GDPR is applicable not only throughout Europe, but also outside of the EU borders, so worldwide, including Canada. And the purpose of the GDPR was to strengthen both the rights of data subjects and the obligations of data controllers and of data processors. So you're probably thinking, so I'm a Canadian company, why is it important to comply with the GDPR? Well, because, among other things, there are significant sanctions for non-compliance. There are, of course, you know, the significant financial penalties, which can amount to as much as 20 million euros or four percent of global annual turnover. But there are a whole bunch of other penalties that people kind of forget about, and they can sometimes even be more damaging to your company's business than the financial penalties. So let's take, for example, supervisory authorities in Europe can order you to actually stop the processing of personal data. They can order the deletion of the data. They can investigate your company. And they can stop international data transfer and a whole bunch of things like that. So it's really a regulation that should be taken seriously all over the world, actually, and not just in Europe. So when we talk about the GDPR, are what are we talking about? So basically it's data that covers an information relating to an identified person or an identifiable person. So it doesn't only includes data such as names and surnames and email addresses, but also includes other data that we don't normally think about, like location data, IP addresses and online identifiers and things like that. And contrary to what most people think, the GDPR also applies to B2B relationships. So we get that question a lot. Well the GDPR is about personal data. So it doesn't apply to us as a business, but it does apply to B2B relationships because email addresses, unless it's a generic address like info or support customer, it always contains the personal name of a person, even if it's in a professional context. So as you can see, the scope of the GDPR bar is very, very large. The GDPR also covers what is called special categories of personal data. So that's data that's considered more sensitive. So data relating, for example, to racial or ethnic origin, biometric data or health data, which today with the health crisis is something that's very at the forefront. It's called special data due to the sensitive nature of the data. And because of that, it has to be given greater protection. So you have to really keep that in mind when you're thinking about your GDPR compliance project to see, you know, what is regular data and what is sensitive data. So now we'll have a look at what's the territory. So why would this EU regulation apply to you as a company located in Canada? There is a myth going on about the extent of the scope of the GDPR in terms of who it covers. A lot of people think it only covers European residents or European nationals. Actually, the GDPR covers data of anybody who is in Europe at the time that they provide their data. If you're a Canadian company and there's a Canadian in Europe on vacation who provides their data through your Website on the contact form or orders a product or services on your company Web site, that person will still be covered by the GDPR because there are in Europe at the moment that they provide their data. So, again, here we see how vast and broad the scope of the GDPR is. In general, the GDPR applies to non EU companies, regardless of their size, that provide goods or services to persons in Europe, regardless of whether or not payment is required for those persons. So if you're charitable organization and nonprofit organization, you can still fall under the scope of the GDPR. And it also applies to companies that monitor the behavior of such persons in so far as the behavior takes place in the EU. So here again, we're talking mainly about cookies and things of the same sort. So as you can see this, it's really broad scope, but it's not always clear to know when or how you fall as under the GDPR as a non EU company. So Melanie's going to walk us through now a series of questions that you can ask yourself that you can check to see, you know, if you fall under the GDPR. So, Melanie, can you run us through those questions, please? 

Mélanie Gagnon Yes, of course, Jane. So let's go over a few simple questions to verify whether your organization falls under the scope of the GDPR. It's important to point out that a single positive answer does not alone determine the applicability of the GDPR. You must analyze your entire situation. And this should be done, of course, on a case by case basis. So the first question is, do you promote your services to people within the EU, like through a website? And of course, it's not because your website is accessible to people in the EU that you must comply to the GDPR. Several criteria can determine whether you are targeting these individuals. The first one is your Web site, translated into several languages spoken in the EU, like German or Dutch. Do you use a European domain name like .eu, .be for Belgium, .lu for Luxembourg? Do you allow payment in euro or other European currencies? And do you deliver your products within Europe? And can people within the EU fill in contact forms, apply for a job or subscribe to your newsletter? Do you attract people's behavior on your website by using infamous cookies, for instance, or do you perform profiling through your website? Or do you perform predictive analysis of people's behavior, preferences, habits, et cetera. And there's some other questions, naturally, than the website. Do you have any employees within the EU? Does your organization act on the behalf of a European organization? Are you data processor of a European company? If so, it's important to understand that those companies have an obligation to engage with data processors offering sufficient guarantees. And we have to formalize this relationship through a written contract, including audits of the compliance by the said company. 

Jane Murphy Speaking of contracts, Melanie, it's indeed really important to have solid contracts in place, especially to cover transfer of personal data from the EU to Canada. If you have personal data in the EU, you are not allowed to transfer personal data outside of the EU unless you have an exception in place or a transfer mechanism that's there to protect the data. So Canada in this sense benefits from what we call an adequacy decision. So the European Commission has determined that Canada offers sufficient protection to EU personal data so you can transfer data to Canada as you would within the EU. But we have to be careful here because this adequacy decision only covers certain number of companies that fall under the PIPEDA legislation in Canada. So not all companies can benefit from that. So you have to really look on a case by case basis if you can use this adequacy decision to receive data in Canada or if you can fall under another category of protection. You know, we can we can think here of the standard contractual clauses or binding corporate rules, but that has to be also included in in the contract, as we've seen there are many obligations to comply with under the GDPR. Even as a Canadian company. But before we discuss these obligations, it's really important also to first understand the principles of the GDPR. So let's go over these briefly. There are seven of them, so seven principles to protect the personal data in Europe. The first principle is all about the legal basis that allows you to process the personal data. There are a total of six legal basis. There is, of course, as in Canada, the consent of the person concerned. But there are other legal bases is and we often forget that, for example, you can also process personal data in the context of the execution of a contract or legal obligation or legitimate interest. But we have to remember that at all times, you have to choose one single basis. So you can't change a legal basis as you wish. For example, if you start with a written contract and then something happens and you say, oh, we're going to obtain consent, what usually happens is the other way around, actually, is that people start with consent. But given that consent can be withdrawn by the data subject by the individual in Europe at any time, then you're left with no legal basis and then you'll say, well, OK, let's use contract then as a legal basis. Well, that's a no, no, you can't do that. So choose one legal basis and you have to be really transparent about what you choose. So this is typically done in a privacy policy that you put up on your website. You have to be very clear of, you know, how you're going to process a data where you're going to do with it. The second principle is the purpose limitation, so personal data can only be collected for specific or explicit and legitimate purposes. So basically the personal data can only be processed for what you're saying it's going to be processed for. That's it. For example, if you collect data for a survey or for a contest, so people sign up for the contest or the survey, well, you can't use that information afterwards to start, you know, sending a whole bunch of information or sending a newsletter. So specific purpose and it has to be a legitimate purpose, of course. The third principle is data minimization. So personal data can only be processed if it's relevant, if it's adequate for the purpose that you've already explained in their privacy policy. And the bottom line is it has to be limited to what is strictly necessary. You can't collect more data than you need. So if, again, if we use the example of the contest. If you have the name and the email address of somebody that should be sufficient. You don't need to have the birthdate or the color of their eyes or any other information that's not relevant. So, Melanie, can you walk us through the other principles, please? 

Mélanie Gagnon So the fourth principle is a accuracy so personal data should be accurate and kept up to date. All reasonable measures should be taken to rectify or delete inaccurate data because processing inaccurate data can lead, of course, to false outcomes. The fifth one is the overlooked principle: storage limitation. We can't keep data forever. Personal data must be stored for a limited duration and deleted after they are no longer necessary. However, they can be stored for longer period when processed for archiving, statistical, scientific research or historical research purposes. But only if the appropriate technical and organizational measures are implemented like pseudonymization. The main new principal of the GDPR is accountability. The controller or processor should be able to demonstrate their compliance. So they must be able to demonstrate to the supervisory authorities that the processing of personal data has been done according to the provisions of the GDPR. This principle implies that you have to keep records of processing activities and a record of every data breaches and that you have to document and justify every decision that you take regarding personal data. The principle of integrity and confidentiality is linked to another requirement of the GDPR. Which is information security. It's obviously a crucial element data protection. And both the GDPR and information security are founded on a risk based approach. So in this context, controller or processor must take appropriate technical and organizational measures proportionate to the risk identified. Are these measures to protect personal data against unlawful or unauthorized processing disclosure lost or accidental damage? There's two additional requirements linked to the risk based approach, which are the data protection impact assessment and the privacy by design and by default. This means that data protection must be integrated at the very beginning of any project and throughout its entire existence. Using, of course, the risk based approach. So we've seen the principle of the GDPR, now let's talk about obligations. So, Jane, can you tell us about the obligation to appoint an EU representative? 

Jane Murphy Sure, Melanie. Thank you very much. So this is an obligation that's called the forgotten obligation. And it only applies outside of the EU. This obligation is the obligation to appoint a GDPR representative in the EU. So when do you have to appoint a GDPR representative? Well, if you're based outside the EU and you fall under the scope of the GDPR. So we've seen, as an non-EU company, that to fall under the scope means that you're offering products or services to people in Europe or that you're monitoring their behavior. You have to check then if you have an establishment in the EU, there's no definition of what it is. So it's not necessarily just a subsidiary or branch. It could also be you have a sales agent as long as you have a substantial link already in the EU that would be considered an establishment. So if you don't have an establishment in the E.U., you have to appoint a GDPR representative. And that's what we do at EDPO. And there are three exceptions. First of all, if you're a public authority, not just an EU one, but any public authority, even in Canada, you don't need one. And that's because you need to appoint a DPO, a data protection officer. And Melanie will explain a bit later on what that means. And there are a few other exceptions, actually. There are three of them that allow you to not appoint a representative. But these are cumulative and and they're very restrictive. So in practice, we've never seen this being used to avoid to have to appoint a representative. So why do you have to appoint a representative and what do they actually do? The representative has three main functions. So the representative is the point of contact for individuals in Europe. So you're going to post the EU rep's contact details on your privacy policy on their website. So people in the EU who want to exercise the rights under their GDPR, for example, to have their data deleted or to obtain a copy of their data, for example, they can contact us to get that information. And then we liaise with the company outside of the EU to see, you know, how we can respond to those rights. The second task that we have is to be the point of contact for supervisory authorities. That could be a bit daunting sometimes when you're contacted by the authorities. It could be stressful. So we're there to help you understand what they want and to respond to them. The third thing that we have to do is keep a record of your register of processing activities. Now, this register is a document in which you're going to explain what types of processing that you do with EU personal data. There's no mandatory format required for the register. So it can be a simple Excel document as long as you have all the required information in the register. So we know what kind of data you're collecting from whom? Where are you transferring it? If you're transferring it, how long you're going to keep it? And information just as that and an additional service that we provide at EDPO is the assistance with the notification of data breaches to the supervisory authority. So it's important to know that the procedure for notifying data breaches can be really stressful for companies because the procedure varies from one country to another country in the EU and it must be done in the official language of the country at all of this has to be done in 72 hours, as from the moment at which you become aware of the data breach. So we help companies on that side, you know, trying to understand if the companies have to notify the data breach the authorities, and then we help them with notification. Very important thing to keep in mind is that the representative can only act under the instructions of its clients because we act under a mandate agreement. So we have no leeway, no flexibility on how we can act. So that's the exact opposite of the role of a data protection officer that we call a DPO. So the DPO has to be completely independent. So Mélanie is going to run us through what a DPO does and what their function is. And, well, basically tell us everything about a DPO, because she acts as DPO for companies all over the world. Melanie, can you tell us a little bit more, please? 

Mélanie Gagnon Yes, of course. The DPO is the person in charge of the protection of personnel data processed by any organization. The controllor or processor must appoint a DPO in 3 cases, if the processing activity is done by a public sector company, even outside the EU. Companies, which as part of their core business carry out regular and systematic large scale monitoring of the data subjects, think about tracing applications in the context of Covid. And the third case in which companies have to appoint a DPO is when they process sensitive data, you remember like healthcare data, biometric data or data relating to criminal convictions also on a large scale. One thing to keep in mind is that these rules are applicable regardless of the size of the entity. So even a startup of two employees must appoint a DPO, if it fulfills one of these criteria. But concretely, what's a DPO, he or she is the pilot of GDPR compliance. But the DPO is not personally responsible for not compliance with data protection requirements. The responsibility lays up on the controller or the processor. But what are the main tasks of the DPO? The DPO inform and advise the controller and processor about the regulation, monitor and audit compliance with the GDPR and other applicable data protection laws. Educate and train all staff member. Provide advices to the controller for the data protection impact assessment. And is the contact point of the supervisory authority and can be contacted directly by data subjects. The DPO can be an employee or perform his missions under a service contract like an external DPO. But it's strongly recommended by the European Data Protection Board for the DPO to be on the EU territory and he must be independent within the organization. On the contrary of the representative, the DPO does not receive any instruction concerning his mission. And finally, missions as DPO must not result in a conflict of interest, the DPO cannot have operational tasks and audit at the same time. And he can be a member of the management Committee. 

Jane Murphy So, Melanie, maybe you can tell us where do we start with compliance? Because, you know, it's already challenging for EU companies, but even more for non-EU companies because they're so far away from the GDPR as a regulation, where do they start with their compliance? 

Mélanie Gagnon It can be really scary, of course, but it doesn't have to be and it doesn't have to cost a fortune. If you apply the risk based approach and take it a step at that time, it can be a manageable project at a reasonable cost. One thing to keep in mind is that only the processing activities that relate to EU personal data must be compliant with the GDPR. So, for example, if all your employees are in Canada, you don't need to comply with the GDPR for all your H.R. processes. So let's go through an action list for your GDPR compliance. The first thing is to do an inventory in order to identify aspects that do not comply with the GDPR and establish a pragmatic action plan which can include the appointment of a DPO, the appointment of a representative within the EU. You must as well verify compliance of the policies, procedures, registers and bring into compliance your websites accessible from EU. Establish or update all your contracts with debt processors. And verify, of course, every security measure, the technical and organizational measures, the last one and not the least, train and raise awareness among employees to the good practices and principles of the GDPR.

Jane Murphy Yeah. I think the last one is a very important one, Melanie, especially given the fact that recent studies show that between 70 and 80 percent of data breaches are caused by employees. So, you know, not necessarily with a malicious intent, but nevertheless something to be kept in mind. So to conclude, why should you comply with the GDPR? I think the message we like to bring across today is that it's not simply a question of avoiding sanctions. Compliance with the GDPR also offers a lot of opportunities for companies in terms of competitiveness, partnerships, consumer confidence and just, you know, all around good reputation because the GDPR is one of the highest or I think it is the highest data protection standard in the world. So if you're compliant with the GDPR, you'll also be compliant with the rest of the world, it is kind of like data protection compliance passport. So that's the end of our overview of the impact of the GDPR for Canadian businesses. Thank you so much to the Canadian embassy for inviting us. And of course, we remain at your disposal if you have any questions about how to comply with the GDPR. Thank you.

For more information, please contact the Canadian Trade Commissioner Service. We have more than 25 offices across Europe that can help you to identify opportunities and grow your business in all 27 Member States of the European Union as well as the rest of Europe. We encourage you to visit our website at tradecommissioner.gc.ca and get our extensive network of business development professionals working for you.

Date Modified: