Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/780150
62 LEXPERT MAGAZINE | JANUARY/FEBRUARY 2017 survey shows that more than 80 per cent of respondents knew few details or nothing at all about GDPR; fewer than one third of companies felt prepared for GDPR; 70 per cent of IT and business professionals said they were not, or didn't know if their company was prepared for GDPR; and only three per cent of these respondents had a plan for readiness. e hard data is even more daunting because the respondents included only those IT and business professionals responsible for data privacy whose organization had more than 10 per cent of its customer base in Europe. Respondents came from the US, UK, Canada, Asia Pacific, Germany, Sweden, Benelux, France, Italy, Spain and Po- land. Results from US and Canadian re- spondents, who made up some 200 of the approximately 800 individuals queried, re- flected the survey's general findings. "I saw nothing that sticks out that might indicate that Canada or the US are any different from the rest of the world regard- ing their awareness and preparation for GDPR," Malecki says. "In fact, the greatest exposure seems to be from companies outside the European Union who are dealing with European cus- tomers, because their level of awareness is even lower than average." e survey sampled small and medium- sized enterprises (SMEs) as well as very large companies. "I wasn't as surprised at the results from SMEs as I was at the overall lack of awareness in the larger re- spondents," Malecki says. While Canadian companies may have less to worry about than their US counter- parts because Canadian privacy laws more closely approximate the GDPR, there are significant differences. "e GDPR requires breach notifica- tion, which is a requirement only in Al- berta and is coming down the pipe on the federal level," Elder says. "As well, the GDPR requires more explicit, compart- mentalized and granular consent than the general consent required in Canada." In other words, Canadian compan- ies affected by GDPR will need to break down the purposes and uses to which they will put personal information in a finer fashion in order to give greater choice to individuals who are consenting. "We don't know yet what the GDPR con- sent requirements will look like exactly, but the issue is causing concern here," Elder adds. e upshot is that it's not too early for Canadian companies to start looking at the GDPR. "At the very least, companies will want to do an initial assessment to see how they are affected so that they can ensure a seamless transition," he says. More particularly, Elder believes that companies should — among other things — start thinking about whether they want to incorporate different forms of notice, stop certain practices, and have separate websites for EU customers. For its part, Dell recommends that af- fected companies should start to address all GDPR requirements by beefing up solu- tions for access governance and manage- ment, secure mobile access, email security, as well as for protecting the perimeter of their networks. e good news is that it's still early enough to consider compliance in an or- derly fashion. "I wouldn't say it's time to panic quite yet," Elder says. "But others may certainly disagree." A RECENT DELL Inc. survey shows that Canadian companies are among the many organizations around the world that lack awareness of and preparation for the Euro- pean Union's new General Data Protection Regulation (GDPR), which comes into force in May 2018. e GDPR, which creates a comprehen- sive regulatory regime for handling the personal information of EU citizens, has extensive extraterritorial reach. "e regulation doesn't just apply the standard territorial analysis that affects companies who have an office, a server, or employees located in the EU," says David Elder of Stikeman Elliott LLP in Ottawa. "It also applies to any organization located anywhere in the world that offers goods and services to the EU or monitors the be- haviour of EU residents." e legislation has considerable teeth. "Maximum fines can amount to four per cent of a company's global revenue, or €20 million, whichever is greater," says Florian Malecki, International Product Market- ing Director for SonicWall, an internet security company headquartered in Cali- fornia and a Dell subsidiary. Despite the potential consequences, however, the Dell Study shows most Canadian businesses are unprepared for EU's General Data Protection Regulation BY JULIUS MELNITZER New regime may blindside companies PHOTO: SHUTTERSTOCK | DATA PROTECTION | THE BORDER