Login

Govern yourself accordingly: How organisations can implement their own GDPR compliance

Govern yourself accordingly: How organisations can implement their own GDPR compliance

Sponsored by

Canada’s sluggish response to updating its privacy legislation to address the concerns addressed in the General Data Protection Regulation (“GDPR”) may jeopardize the adequacy status from which the country, and by extension companies regulated by the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), benefit. Add to this the prevailing uncertainty regarding whether organisations in British Columbia, Alberta, and Quebec benefit from adequacy status at all since these organisations are regulated by their respective provincial laws which have not received adequacy recognition, it might be a good idea for organisations that process information on European nationals to begin to take GDPR compliance into their own hands.

Most Read

National Bank cannot fulfill Greek bank’s credit guarantee due to fraud exception: SCC

Canada facing pervasive ransomware, broader cyber-criminal landscape and threat from AI: lawyer

Ontario Court of Appeal rules against real estate developer for breach of a joint venture agreement

The following steps provide a brief overview of the measures an organization should take to become GDPR compliant:

  • Appoint a Privacy Officer or, in smaller organisations, a go-to person for data protection.
  • Create a data register in which the organisations’ departments (ie. human resources, marketing, finance, etc.) describe the data they process, the people or institutions within and outside the organisation to whom the data is transferred, retention and destruction procedures and safeguards.
  • Prioritise compliance by ensuring that:

a. only necessary data is being collected;
b. the legal basis for data collection are respected;
c. clear and explicit privacy notices are drafted to inform individuals of how their data will be collected, stored, used, retained, and transferred;
d. suppliers and subcontractors are compliant and have signed agreements testifying to this compliance;
e. either model clauses are in place for documents involving data transfers between Europe and Canada or other accepted measures are being used;
f. data access, amendment, and take-down procedures are in place; and
g. data-breach response procedures are in place

  • Conduct a privacy impact analysis to determine which data is at greatest risk and how to protect it.
  • Establish processes including continuous general and targeted data protection training to ensure data is protected at all times by every member of the organisation.
  • Document compliance (ie. save forms evidencing consent as well as data access / amendment / take-down requests and organisational responses to these)s

These measures are not impossible to implement. They demonstrate the value, however, of making data protection a governance mater so as to reduce exposure in the event local regulatory bodies are slow to respond to global trends.

Recent articles & video

Last few days to nominate in the Top 25 Most Influential Lawyers

Why this documentarian profiled elder rights advocate Melissa Miller in Hot Docs film Stolen Time

Saskatchewan government boosts practical learning at University of Saskatchewan College of Law

BC Supreme Court clarifies the scope of solicitor-client privilege in estate administration

Federal Courts invite public feedback on the conduct of a global review of its rules

BC proposes legislative changes to support First Nations land ownership

Most Read Articles

National Bank cannot fulfill Greek bank’s credit guarantee due to fraud exception: SCC

Canada facing pervasive ransomware, broader cyber-criminal landscape and threat from AI: lawyer

Ontario Court of Appeal rules against real estate developer for breach of a joint venture agreement

Canadian Lawyer partners with legal associations to survey legal graduates