Quickstart Guide to GDPR and PIPEDA
What You Need To Know
What is the GDPR?
The General Data Protection Regulation (GDPR) is a law designed to protect consumer privacy and sensitive personal data before and after it has been collected by a business or organization.
The law only protects individuals residing within the European Union/European Economic Area (EU) (EEA), but affects companies all around the world—regardless of where they are operationally located or conduct business.
The regulation strengthens consumer protection by entitling individuals to:
- refuse marketing solicitation
- view, delete or withdraw their personal data from a given service
- know why their data is being collected
- know how an organization uses their personal data
- know for how long an organization intends to retain their personal data
The law also set standards for how soon companies must now report data breaches (within 72 hours) and sets significant penalties (up to €20 Million or 4% of annual revenue, whichever greater) for those who do not comply with the outlined regulations.
Although My Insurance Broker does not transact business with EU residents, we believe the GDPR represents the future of consumer protection and have decided to use it as a model for how we handle customer data.
What privacy protections exist in Canada today?
In Canada, the rules for how for-profit, private-sector organizations collect, use, and disclose sensitive personal data are determined by the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act (PA). Under these sets of rules, organizations must give provide individuals:
- the right to access their personal information and challenge its accuracy
- the ability to grant or deny consent to collect, use or disclose that individual’s information
- the assurance that their information will be protected by appropriate safeguards
While these protections may seem similar to those granted by the GDPR, there are several instances where protections under the GDPR are actually stronger than those currently in place in Canada under PIPEDA and the PA.
|PIPEDA & Privacy Act||The GDPR|
Principle 3 - Consent
Consent must be obtained, but may be implied, prior to the collection or processing of data from an individual by an organization.
Article 6 - Lawfulness of Processing
Consent must be given by an affirmative act by the individual, cannot be bundled into a contract, and must be given freely without imbalance of power.
Principle 8 - Openness
"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information." Organizations are not obliged by law to provide you a copy of the data.
Article 20 - Right to Data Portability
“[Individuals] have the right to receive the personal data concerning him or her ... in a structured, commonly used and machine-readable format ... without hindrance”
Principle 6 - Accuracy
Individuals may withdraw consent of the use of their data at any time, however an organization still has the right to retain all data in accordance with their stated minimum and maximum retention periods.
Article 17 - Right to Erasure
An individual has the right to request the erasure of all personal data concerning him or her without undue delay. This is commonly referred to as the 'right to be forgotten'.
Division 1.1 - Breaches of Security Safeguards
An organization must keep records of any breach of security safeguards. If the breach creates a real risk of significant harm to an individual, the organization must report the breach to the individual and also Privacy Commissioner of Canada as soon as feasible.
Article 33 - Notification of a Personal Data Breach
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.