In today’s world, protecting our personal information from corruption, compromise or loss is essential. The European Union’s (EU’s) newly implemented General Data Protection Regulation (GDPR) is a big step toward safeguarding data. This new regulation fundamentally changes how data are handled in every sector from banking to health care.

What is the General Data Protection Regulation (GDPR)?

The European Union General Data Protection Regulation (EU GDPR) came into effect on May 25, 2018. It is enforced by the European Commission and aims to harmonize data protection laws across the region. 

The regulation applies to data controllers and data processors based in the EU, as well as those offering goods or services to people living within the EU or those who monitor the behavior of EU residents.

Not complying with the GDPR can result in a fine of $20 million euros or four per cent of a business’ annual worldwide revenue. 

For more information, visit the European Commission’s website. 

How does the GDPR affect Canadian organizations?

The GDPR not only applies to organizations located within the EU but also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Canadian organizations need to abide to this regulation if they offer goods or services to, or monitor the behaviour of, EU data subjects.

The GDPR also requires the European Commission to monitor data protection laws in countries beyond Europe, including Canada. Only if a country’s protections are deemed adequate can personal data flow from the EU to that country without additional safeguards being applied. 

Canada’s federal government reports regularly to the European Commission in order to preserve Canada’s existing “adequacy status.” Those reports are available here under the heading “Reports to the European Commission.” 

How is SCC helping Canadian organizations deal with GDPR?

The Standards Council of Canada (SCC) established the Canadian Advisory Committee on GDPR (CAC-GDPR) as part of its Innovation Program. Any representative of a Canadian industry, association, academic institution, non-for-profit organization, public interest group or federal, provincial or territorial government can become a member of this committee if they are affected by the GDPR or interested in the business opportunities it may offer. 

How does the CAC-GDPR help Canadian organizations?

The CAC-GDPR is a national forum that helps Canadian organizations better understand this regulation so they can meet their obligations with regard to the GDPR—and take advantage of any business opportunities it creates. 

The committee’s mandate is to share relevant information and recommendations and promote Canadian participation in standardization activities with respect to GDPR. It also serves as a national forum to develop and relay consensus positions to influence the development of national, regional and international standards and conformity assessment schemes related to GDPR as well as data protection and privacy in general. 

The committee also identifies challenges Canadian organizations may face in fulfilling their obligations with the regulation, and suggests data privacy and protection best practices and standards that could help Canadians compete in the European marketplace. 

How can you get involved?

SCC encourages all Canadians to participate in the development of standards that impact them. If you want to learn more about GDPR, how GDPR impacts Canadians and Canadian businesses or how to participate in standardization activities related to GDPR please contact SCC at info@scc.ca.

Official resources from EU governments

• European Commission: 2018 reform of EU data protection rules
• The European Data Protection Board (EDPB)
• European Commission, Article 29 Working Party Guidelines
• Guide to the General Data Protection Regulation (GDPR), from the Information Commissioner’s Office (ICO) of the United Kingdom
• Data Protection Commissioner: Dublin and Portarlington, from Ireland
• RGPD: passer à l’action, from France’s Commission nationale de l’informatique et des libertés (CNIL) (French only)

Resources from Canadian government bodies

• Global Affairs Canada - The Canadian Trade Commissioner Service
• Office of the Privacy Commissioner of Canada
• Information and Privacy Commissioner of Ontario
• Office of the Information and Privacy Commissioner of British Columbia
• Office of the Information and Privacy Commissioner of Alberta
• La Commission d’accès à l’information du Québec (French only)

Other useful resources

• White & Case handbook
• Canadian Federation of Independent Business
• Canadian Marketing Association (CMA)

Articles about GDPR

• Data Protection Trends: What GDPR And Other Regulations Mean For 2019 And Beyond (Forbes, March 2019)
• Over 59,000 personal data breaches reported across Europe since introduction of GDPR (DLA Piper, Feb. 2019)
• Study shows Canada isn’t meeting most or all GDPR requirements (Mobilesyrup, Jan. 2019)
• Amende record de 75 M$ à Google pour avoir violé la loi européenne sur la vie privée (Radio-Canada, Jan. 2019)

How can you get involved?

SCC encourages all Canadians to participate in the development of standards that impact them. If you want to learn more about GDPR, how GDPR impacts Canadians and Canadian businesses or how to participate in standardization activities related to GDPR please contact SCC at info@scc.ca.