Doing the business math of GDPR compliance

Privacy legislation isn’t new. But thanks to headlines outing corporations that leak customer information and, more recently, the usage of Facebook data to sway political events, interest in privacy has spiked.

The European Union’s General Data Protection Regulation (GDPR) began their evolution long before these headline-grabbing events took place. Thanks to its promised effects on business, GDPR has sparked interest outside the EU. Will it be the incentive organizations need to make data protection and privacy a fundamental part of their processes?

How Canada stacks up 

Canada is one of 11 countries to have “adequacy status” conferred upon it by the EU. “Organizations within those countries can transfer personal information of EU data subjects without further procedural or contractual protection,” said Baker & McKenzie LLP of counsel Dean Dolan, who advises clients on GDPR with help from student-at-law Maneesha Gupta.

Distance to GDPR compliance

To Dolan’s words, Sylvia Kingsmill adds “for now. Many areas of PIPEDA don’t offer the same level of protection (as GDPR).”

“For example, privacy by design is not letter of the law in PIPEDA like it is in Europe,” says KPMG Canada’s Canadian digital privacy and compliance leader.

Toronto lawyer and academic Omar Ha-Redeye pays special attention to Article 17 (of 99), otherwise known as the right to be forgotten. Ha-Redeye does not see this as purely a consumer play.

He offered a sample scenario: an executive is charged with white-collar crime. The charge makes headlines and affects the company’s reputation. After investigation, the executive is cleared of all charges. But when you Google the individual or the company later, that allegation still tops search results.

“We don’t want to hide information that’s accurate,” Ha-Redeye said. “We’re looking for information that is likely to mislead the public. Information that’s outdated and no longer accurate doesn’t serve the public, or investors trying to decide whether they should invest in a company.”

Other GDPR protections that Canadian privacy law doesn’t yet cover include the right to:

  • data portability;
  • object to marketing in certain situations;
  • not automatically be profiled.

Obstacles to GDPR compliance

Drawing on her observations, Kingsmill said: “The privacy function is chronically underfunded, understaffed, overworked,” while GDPR is “dense” and “nuanced.” She added, “We still need more guidance.”

Should data-hungry businesses try the Facebook cat-and-mouse GDPR evasion game? “Part of their approach is to run around, run away from it,” Ha-Redeye said of corporations that attempt to limit GDPR exposure.

Obstacles to GDPR avoidance

Ha-Redeye figures mice will have less room to hide as jurisdictions like Canada enact laws that mirror parts of GDPR. He pointed to new guidance issued by the Information and Privacy Commissioner on mandatory reporting of health information breaches last fall. Dolan noted that Canada passed mandatory breach notification that will come into effect this November.

Jurisdictions around the world are also enacting data privacy legislation. “Asia PAC are already emulating GDPR,” said Kingsmill. “Many countries outside the EU are starting to look to the GDPR as the gold standard.”

“It will be increasingly difficult to find less privacy restrictive jurisdictions where you can set up your operations,” Dolan concluded.

Jurisdictional lines may prove useless when developing a GDPR strategy. Partway through our conversation, I asked Dolan to define a term he had been using: “EU data subject.”

Dolan chuckled. “It’s the term they use when they talk about this stuff. You don’t need to be a citizen or permanent resident of the EU to be protected by GDPR.” Could it become just as difficult to define “subjects” of other countries’ data privacy regulations?

Definitions aside, “should Canada not look out for its own citizen’s rights when Canadian-based companies must give more rights to citizens of other countries?” Ha-Redeye asked.

The calculus of GDPR compliance

The answer to Ha-Redeye’s rhetorical question may hinge on business calculus: does a company earn more revenue when it segments customers by data privacy jurisdiction than it incurs in the costs of such segmentation? Or will one standardized policy be better for business in the long run? And are the risks justified?

The fine for one GDPR breach is four per cent of a company’s annual revenues. But can EU regulators levy fines against Canadian companies that don’t maintain a physical footprint in Europe?

Baker & McKenzie’s Dolan thinks they could, given a history of large international privacy-related investigations where privacy regulators from multiple countries work together on specific investigations.

But the fines may not matter. The Cambridge Analytica debacle triggered headlines, followed by a huge drop in Facebook’s market capitalization, then Cambridge Analytica’s declaration of bankruptcy. “The naming and shaming function, being exposed as not prioritizing privacy and security of personal information you possess is far more damaging than any fine,” Dolan believes.

“Corporations can still earn a healthy profit if they do the right thing,” Kingsmill optimistically added.

This article originally appeared on The Lawyer’s Daily website, published by LexisNexis Canada Inc.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.