In 16 days — May 25th — the European Union’s tough privacy law known as the General Data Protection Regulation takes effect, with some experts predicting turmoil because many businesses in and outside the union who collect personal data on EU residents aren’t entirely ready.
This week a Reuters news story suggested regulators aren’t ready either.
That’s because there won’t be one privacy regulator enforcing the GDPR across the 28 EU countries. Instead, regulators in each country or region will have the responsibility. But 17 of 24 authorities who responded to a Reuters survey said they didn’t yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.
“Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25,” says the story.
Italy’s data protection chief told Reuters and it will require double the annual funding and upping its staff to 300 from 122 to do the job.
Good news for businesses worried they may get hammered within 24 hours of the law coming into effect? No, says, Canadian privacy expert Ann Cavoukian. “It’s not that Europe isn’t ready for the GDPR, it’s just that they’re under-resourced, as is the case in most jurisdictions,” she said in an email.
While it is true regulators have said initially they will be forgiving if a business is trying to comply, “EU regulators will certainly respond quickly to complaints lodged with them. It’s in the area of proactively investigating companies that most regulators won’t be able to move on. But I’m guessing that there will be plenty of complaints filed with regulators in multiple jurisdictions, which will get things moving and keep the momentum on the need for compliance with the GDPR. It is unlikely that regulators will take a light touch to obvious infractions.”
”I feel we’re going to see a lot of companies with a ‘deer in the headlights’ look” when regulators come knocking. “I think they’re going to be caught by surprise.”
What should worry businesses are the stiff financial penalties for worst-case non-compliance under GDPR: Up to €20 million, or four per cent of worldwide annual revenue of the prior financial year, whichever is higher.
Businesses have had two years’ notice that GDPR is coming. Large Canadian enterprises with offices in the EU will likely be prepared. But Cavoukian says some smaller organizations here are only just realizing they are affected. Recently a small manufacturing company contacted her which collects personal data from potential EU buyers “from time to time.” The firm wondered if it could be covered by GDPR?
“You’re going to see lots of this,” said Cavoukian. “I don’t think we should be surprised come May 26th you’re going to be hearing about cases like this.” Most of the North American companies she talks to don’t have a good sense of GDPR. “They’ve heard about it, they know they should be doing something.”
The good news is that at least initially EU regulators won’t hammer a firm if they think it is trying to comply. The way to do that, she says, is incorporate the principles of Privacy By Design (PBD) in their data retention policies. Briefly, that means people have to consent to have their personal data collected, be told why personal data is being collected and how it will be used. Additional consent must be received for any use of an individual’s data other than that.
Because of the complexity of GDPR, and no-one has done a survey, it isn’t clear how many Canadian organizations who have to comply with the regulation are ready. “Some of my clients that have looked at the GDPR and concluded that it affects them have taken some pretty significant steps at beefing up their privacy management program,” said Kris Klein, a partner in the Ottawa law firm nNovation with a privacy law practice, who is also managing director of the Canadian branch of the International Association of Privacy Professionals.
“Some have gone so far as appointing a DPO (data protection officer), which is a requirement under GDPR for certain organizations. This is the case even if they don’t have robust on-the-ground operations in Europe. The fact is that they are processing the personal information of EU citizens and they do not want to risk a finding of non-compliance or, worse, a fine. Of course, there are all sorts of jurisdictional issues that arise as well which makes deciding what to do even more difficult. In the end, it is like other privacy-related regulations. That means assessing the risks and evaluating the level of effort and cost to comply and then setting up a plan that works within the particular organization.”
Another worry of some experts is that the EU will find Canada’s federal privacy law, the Personal Information Privacy and Electronic Documents Act (PIPEDA) doesn’t meet GRPR standards. Federal privacy commissioner Daniel Therrien has been urging Ottawa to update PIPEDA so it will be found adequate. However, in recent testimony before the House of Commons privacy committee he acknowledged that it will be at least a year before the EU reviews PIPEDA. Until then PIPEDA’s adeqency stands.