Transcript – Episode 3: Using standards and certification mechanisms to comply with the EU’s Data Protection Regulation

Welcome to the Canada2Europe Trade Chats, the podcast dedicated to helping Canadian companies export and expand their business to the European Union. Every month, we invite experts to provide market and sector insights as well as practical tips to help Canadian companies do business in the European Union. 

Aliénor Fagette Hello and welcome to the Canada2Europe Trade Chats. The objective of today's podcast, is to explain how Canadian companies can use standardization mechanisms to meet their obligations under the EU's General Data Protection Regulation, best known under its acronym, GDPR. Since May 2018, the GDPR created stronger rules for business on how to process and manage EU personal data. It is famously known as the highest data protection standards in the world and for its significant sanctions for non- compliance. And this regulation, although European, can apply to companies outside the EU, including Canadian companies. The European Union and its member states have yet to set up certification mechanisms that would enable businesses to demonstrate compliance with the GDPR. However, there are alternatives for Canadian companies, you can already use existing standards and certification schemes in your compliance process. I am your host, Aliénor Fagette, Trade Commissioner for Digital Industries at the Mission of Canada to the European Union. With me today is Alex Héroux. Alex is a sector specialist at the innovation program of the SCC, the Standards Council of Canada, and he has been coordinating the SCC's work on the GDPR. Hi, Alex, and thanks for your participation in this podcast. 

Alex Héroux Hi Aliénor, thank you so much for having me and Global Affairs Canada for having me on the podcast today. Really excited to discuss not only the GDPR, as you mentioned, but also the role that standardization can play in the compliance process to GDPR. 

Aliénor Fagette So for those that listen to us and have never heard of the Standards Council of Canada before today. Can you briefly explain what it is and what it can do for Canadian companies? 

Alex Héroux Absolutely, yes. So the SCC is a crown corporation located in Ottawa. And our role is really to promote the use and the development of standardization strategies. And when I refer to standardization strategies, it includes standards and certification program. So for those who are not familiar with the standardization world standards are a published document, they have specifications and these specifications ensure the reliability, the safety, the performance of either a material or product or service. If we look at the second aspect of standardization strategies, which is certification program, in a very brief description, certification program is a mechanism to verify that the standard user actually complies with the standard. So I'm sure you've been at a store and you're looking on the shelf. There is many different products and some of these products have a certification mark, that certification mark ensure that the manufacturer, for instance, complied with the standard and helped build that confidence and trust relationship between the consumer and the manufacturer in that instance. 

Aliénor Fagette And in which ways does the SCC help Canadian companies? 

Alex Héroux Yes. So we help innovators navigate the standardization landscape. For instance, we can support them in the development of a new standard that would benefit their technology, or we could help them identify the right standards to facilitate the compliance process to a specific regulation, for instance, GDPR. 

Aliénor Fagette So talking about the GDPR, you've been coordinating the work of a Committee on Data Protection at the SCC for the past year and a half. And the outcome of this committee's work is a list of standards, and it aims to help Canadian companies fulfill their obligations under the GDPR. Can you tell us a bit more about this list? 

Alex Héroux Absolutely. So just to provide you with a little bit of background, the SCC created the Canadian Advisory Committee on GDPR around January 2018. The objective was to have a national forum with the mandate of sharing relevant information on GDPR, providing recommendations and when possible, engaging in standardization activities to help Canadian organization, mostly SMEs, address their obligations in relation to GDPR. 

Aliénor Fagette So how did it actually work and what kind of guidance did this committee provide to Canadian SMEs? 

Alex Héroux Well, we were lucky enough to have the support of more than 50 experts coming from various fields. So we had a lawyer, privacy experts, government representative. And obviously, I mean, part of our work was to bring standard into that conversation and figure out how can standard help in the compliance process to GDPR. And so we created that guidance document. The way we developed the guidance document really comprises two aspects. We have a more common aspect where we identify key articles of the regulation. We provide a very brief description of the regulation of the different provisions. We also included a small case study as well as example of industries and how are these industries impacted by GDPR. But the second aspect of the document, which I think is really interesting and a little bit more unique, is the inclusion of various standards throughout the document. More specifically, ISO standard. And these standards are provided with a brief description, a one line description of what is the standard and how can it help you comply with GDPR. 

Aliénor Fagette Well, thanks for this very comprehensive overview of the SCC's work Alex. I would just like to underline something very important. Adopting standards recommended by the SCC is not a guarantee of full compliance with the GDP. But they do provide guidance and they do enable companies to advertise compliance with some of these provisions. And we could maybe illustrate that with a more concrete example. So let's say that I am a Canadian SME and my activities in the EU require that I comply with the GDPR. Can you explain very concretely how standards and certification can help me understand and meet my obligations under the GDPR? 

Alex Héroux So standardization can support a compliance process because it provides a lot of guidelines, it provides frameworks, best practices and procedures. And these procedures, although they're not directly embedded in the GDPR, they still reflect some requirement that can be seen in the GDPR. And so we have a multitude of voluntary standards that have been developed to enhance best practices in data privacy, cybersecurity information and technology protection. And these standards provide a strong foundation to Canadian organization for their compliance with the regulation. 

Aliénor Fagette So could you give us a concrete example of a standard that would be relevant for the GDPR? 

Alex Héroux Absolutely. So we can just look at one example, for instance, which is a quite popular standard. Is the ISO 2701 standard and information technology, information security management system. Well that standard provide a robust framework for the establishment of an information security management system. And so although that standard is not specifically mentioned in the GDPR, having a robust information security management system is extremely helpful to comply with GDPR. So we strongly believe that these standards can facilitate the compliance process and make your compliance process so much easier with all that valuable information accessible through standards. 

Aliénor Fagette So I just have to follow-up questions. And those are questions that we often get from companies. How much does the certification process cost and how long does it take? 

Alex Héroux Yeah, that's a good question. And unfortunately, I will not be able to provide you with a clear answer. Certification process varies according to the certification program. It varies according to the organization that is looking to get certified, its size, its structure, the field that they're working on. And so if we're looking, for instance, for the 2701 standard and certification process, it can be as quick as six months, but it can also be longer. And if we look at the price tag. Again, it depends on the standard and the organization. But I can say that it's certainly all in all, a few thousands canadian dollar. 

Aliénor Fagette [So from what you're telling us, the standardization and the certification process can be relatively long and it also has a certain cost. So why should Canadian companies spend time and money in adopting standards? 

Alex Héroux [00:09:09] Well, I strongly believe that standards are an inexpensive way to access valuable information. A standard can be one hundred dollar, a two hundred dollar. And these standards are developed by experts from all around the world. And so through that standards, you get access to all the information that the experts said, oh, OK. This is what we should do in order to have a robust framework and information security. These are the procedure that we should follow. So a few hundreds dollars for a standard that would provide you with the best information and the best tools, the best strategy to make your organization more secure. I think this is a really good investment in the short term and in the long term. 

Aliénor Fagette Yes, absolutely. And we could also add that the adoption of standards can help companies gain trust from potential clients. So in the case of the GDPR, for example, this could allow a company to demonstrate that its IT system is robust enough to protect personal data for most cyber attacks. It can also give them de facto a competitive advantage over companies that did not adopt the standards. So hopefully all these reasons will convince you that it's worth looking at standards when your company needs to comply with the GDPR. And that concludes today's podcast. I really want to thank you for your time and participation in this podcast, Alex. 

For more information, please contact the Canadian Trade Commissioner Service. We have more than 25 offices across Europe that can help you to identify opportunities and grow your business in all 27 Member States of the European Union as well as the rest of Europe. We encourage you to visit our website at tradecommissioner.gc.ca and get our extensive network of business development professionals working for you.