When the General Data Protection Regulation (GDPR) comes into effect on May 25th, it will have major ramifications for Canadian businesses.
Drafted in part as a means of ensuring EU residents have more control over their personal data, the legislation includes mechanisms that implement tighter rules for companies when it comes to the handling of data.
The regulation applies to all companies that have European national data — not just to European companies. It applies to companies in all countries, including Canada which is the EU’s 10th most important trading partner, exporting (Canadian dollars) €31.4 billion worth of products to the European group of nations, and importing (Canadian dollars) €37.7 billion of EU products.
Any Canadian company that has EU personal information has only a few weeks left to understand the implications of the regulations, and change its data protection program to meet GDPR obligations.
One of the benefits of GDPR is that companies can use this event as a catalyst for driving technology changes such as moving to an enterprise cloud solution. GDPR requires that companies know what data they have, how that data is secured, and how that data is being used in the delivery of the services or products they are offering.
Fines provided
The crafters of the GDPR did not include an opt-out clause. There is no grey area — businesses must comply. To wit: any organization that fails to satisfy the requirements of the legislation by ensuring the security of the data they collect and ensuring it is used properly may be subjected to heavy fines of up to €20 million, or four per cent of their global gross revenue — whichever figure is the greater.
Touching all areas
The GDPR requires a level of transparency that companies are not normally accustomed to providing, and will require organizations to rethink how data is secured and used.
Some areas for consideration are:
- Accountability (relevant GDPR article, “Principles relating to processing of personal data” – Companies must ensure and adhere to data protection principles and best practices.
- Notification (relevant GDPR article, “Notification of a personal data breach to the supervisory authority”) – Companies must report data breaches within 72 hours to both the supervisory authority and to those directly affected by the breach. Failure to report properly and fully within 72 hours may result in fines of up to €20 million, or four per cent of global annual revenue.
- Technology (relevant GDPR article, “Data protection by design and by default”) – Companies must establish internal strategies and take the necessary steps to ensure data protection through technology (by design) and as a standard approach (by default).
“The GDPR touches virtually all areas of business operations,” said Crispen Maung, VP, Compliance, Box. “This makes it critically important — potentially make-or-break for many organizations over the long term — to implement a cloud management platform that helps them meet the requirements of GDPR.”
Getting on the right side
Box has for years been preparing for stricter compliance and security regulations around cloud computing, and has worked to meet many of the new and upcoming certifications and regulations around data protection. In the past few years, Box has achieved a high bar of compliance and security certifications associated with data protection such as FedRAMP, and the new German C5, and TCDP standards.
With the GDPR coming into the effect, the time is now — today — for organizations to get proper and full control of their organization’s content, including where it’s stored, where it’s processed, and how it’s used.
“The legislation is coming no matter what,” said Crispen Maung. “It’s an inevitability, and very soon it’ll be law. A company does well to ask what it gains by not doing everything in its power to comply. Why not be on the right side of compliance?”
On-demand webinar
In the on-demand webinar, “Preparing for the GDPR: What to ask your vendors,” Box VP Compliance Crispen Maung discusses:
- GDPR requirements;
- Questions to ask when evaluating cloud platforms for GDPR readiness; and
- How Box helps customers address critical GDPR requirements.