Article Implications for How GDPR will impact the Canadian Financial Services Industry
By Insight Editor / 24 Apr 2018
In April 14, 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR) as a substantial revamp to its privacy laws for processing personal data (i.e. the Data Protection Directive of 1995).
What is the GDPR?
The GDPR aims to greatly strengthen the data privacy rights of EU citizens online, particularly in situations where they’re expected to submit information to a website or vendor for any purpose. Though instituted in the EU, the GDPR actually applies to all businesses and organizations globally which are dealing with EU citizens and their data.
The GDPR will come into effect on May 25, 2018.
Is the GDPR Relevant to the Canadian Financial Services Industry?
For the financial services industry in Canada, the GDPR is very relevant. Canada’s major banks operate in the EU for various purposes, such as facilitating foreign direct investment, managing local investors and managing transactions between EU citizens/businesses and their Canadian counterparts.
In each of these cases, the personal data of EU citizens is being collected and processed by Canadian financial services providers. However, depending on the exact situation, that data may also be flowing to Canada and other non-EU countries. For example, a business could have its newsletter subscriber database hosted in an American data-center through an external cloud-host.
Canadian financial services companies may also be affected via secondary impacts in the form of managing transactions between companies in Canada and the EU. There’s no limit to the scope considering the breadth of Canada’s exports to the EU, which totaled $45 billion in machinery, chemicals and pharmaceuticals as well as transport equipment, among others.
Besides strict requirements, the GDPR also carries punitive measures for companies that don’t properly comply with its requirements. Depending on the seriousness of your infringement, you could be liable to a penalty of up to €20 million per infraction.
Is Canada GDPR Compliant?
Companies complying with Canada’s data privacy laws — i.e. the Personal Information Protection and Electronic Documents Act (PIPEDA) — are partly complying with the GDPR.
In fact, PIPEDA has enabled Canada to be one of 12 countries recognized by the EU for maintaining “adequate” privacy laws relative to the GDPR. Thanks to this status, Canadian companies are permitted to transfer the data of EU citizens to Canada without additional safeguards.
However, Canada’s ‘adequacy’ status isn’t enough for a Canadian company to demonstrate its compliance with the GDPR. In reality, there are key differences between PIPEDA and the GDPR in terms of how the later governs user consent and data mobility.
Overall, the GDPR prioritizes the protection of two streams of data:
(1) personal data such as a person’s name, email address and location, and
(2) sensitive data, which can include someone’s religion, political affiliation and sexual orientation, among others.
Complying with the GDPR will require the Canadian financial services industry to strengthen its user data management and document all processes involving how it collects and manages the user data of EU citizens. It must also strictly adhere to the EU’s personal privacy laws. In effect, companies must proactively design a GDPR-compliant privacy strategy accounting for all risks and requirements outlined by the EU. This also includes appointing a data protection officer.
What’s Required to Become GDPR Compliant?
Data Management & Documentation
Under the GDPR, Canadian firms must maintain complete records of all internal and third-party personal data processing. The documentation process is taxing in that requires the creation of a Privacy Impact Assessment (PIA).
The PIA must identify the threats to your security system and document how you have addressed those threats. It must also detail how users will disclose any of their data and document how you will store and process it, which includes identifying who will have access to that data. You must also detail how users can alter and remove their data.
The financial services industry relies on personal data for many key business functions, such as verifying personal information for fraud detection and personalizing offerings to customers. The GDPR will impact how a financial services firm can leverage that data to those ends by enabling the data owners to remove or object to providing key information.
In case of a breach of personal data, the GDPR requires the company to notify affected persons of the breach within 72 hours. Where the business is using an external company to collect data (e.g. a bank to process online payment), it must also notify that external company of the breach. Likewise, the external firm must also notify the business in case the data is breached on its end.
EU Privacy Rights
The GDPR empowers EU citizens to request the erasure of their data stored on your system. In such a scenario, the GDPR requires every Canadian company possessing that citizen’s data to delete that data without delay.
For example, a consumer might request a Canadian e-commerce entity to delete their personal data; in this process, the Canadian e-commerce entity will not only delete the information their end, but their e-payment provider will have to do so as well.
The GDPR requires companies to be explicit in their request of an EU citizen’s data. PIPEDA’s flexibility for “implied consent” is inapplicable to the GDPR, so you can’t ‘package’ multiple data requests into a single all-inclusive button; you must request for each data point separately while also giving the user the right to object to filling each one. As the ‘data owner’, the user can also object to their data being processed outside of the EU and to automated decision-making.
In the event of a data breach, the affected company must notify regulators and individuals within 72 hours. However, should an investigation occur, EU regulators could request documentation of your company’s data collection and management processes, including the PIA.
It’s clear that considerable changes are required to comply with the GDPR’s requirement of aligning your data collection and management processes. Not only are you affected from the purely regulatory aspect, which requires changes to how you request data and manage it, but potentially from an operations standpoint as well.
GDPR Compliance: First Steps
Internally, every firm in the Canadian financial services industry managing EU data must ensure that their internal processes align with GDPR requirements – i.e. adhering to explicit requests for consent, the ‘right to be forgotten’, writing a PIA, appointing a data protection officer and fulfilling the GDPR’s 72-hour notification requirement in case of a breach.
Operationally, the financial services industry must review how it’s storing and processing data to ensure that its implementation is GDPR-compliant. Many rely on outside cloud-hosting providers to reduce their operating costs, especially small and medium-sized companies which are unable to sustain the high-cost of securely hosting data (including that of their own businesses).
This is relevant to the financial services industry on several fronts. First, if your financial services company is interested in outsourcing your data hosting, then you must ensure that your vendors are GDPR-compliant. Otherwise, your vendor’s deficiencies will becomes yours and leave you liable to the EU’s penalties for non-compliance. Second, financial services firms fully complying with the GDPR – internally and through their vendors – can leverage that to secure the business of Canadian companies seeking to operate in the EU.
If you’re in the process of aligning your financial services company with the GDPR, especially in terms of data collection, storage and management, we’ve got offices across Europe, Canada, and the U.S. preparing businesses for GDPR right now. Contact Insight to support GDPR compliance across your IT.
