Data Privacy Governance in the Age of GDPR

Robert Merrick and Suzanne Ryan , Robert Merrick , Suzanne Ryan


April 1, 2019

data privacy canada us gdpr

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations.

Particularly in Canada and the United States, an unprecedented explosion of regulations has established new responsibilities for organizations to protect the personal information flowing through their operational ecosystems. Many are already actively looking inward at their governance, risk and compliance (GRC) management systems to address their personal information protection requirements. Despite the implementation of the European Union’s General Data Protection Regulation (GDPR) and high-profile data breaches serving as a reminder of what is at stake, many organizations still need to take various steps to enhance their privacy and data governance.

Comparing Canadian and American Approaches to Data Protection

In recent years, Canada and the United States have taken different approaches to the regulation of privacy and data, with the Canadian regime adopting stricter rules about the collection, use and storage of personal information.

In Canada, the federal Privacy Commissioner and various provincial privacy commissions have authority to oversee and investigate privacy matters. Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) broadly applies to protecting personal information collected, used and retained by private companies for commercial purposes. Similar legislation is in place for companies operating in the provinces of British Columbia, Alberta and Quebec. Federal and provincial privacy commissioners may jointly investigate privacy complaints and/or data breaches.

Canada’s federal departments and agencies are subject to the Privacy Act. Each province has statutes relating to freedom of information and protection of personal information by government agencies. Separate statutes govern control of personal health information by provincial government organizations and by anyone with access to that information, such as doctors and nurses.

In the United Sates, privacy is supervised by the Federal Trade Commission, eight federal agencies and states that enforce the federal legislation. Although some regulations exist, there is generally no all-encompassing law regulating the acquisition, storage or use of personal data and there is no central data protection authority. For all intents, those that create and record data in some form are deemed to own the right to store and use it, even without consent to do so. There are certain exceptions to this with respect to federal laws that address certain categories of data, such as those relating to health insurance information (the Health Insurance Portability and Accountability Act), children’s online privacy (the Children’s Online Privacy Protection Act), and specific consumer rights (the Fair and Accurate Credit Transactions Act).

At the state level, several U.S. jurisdictions have recently proposed legislation to address how online businesses handle user information. For instance, California enacted legislation expected to come into force in 2020 that will give residents various privacy protections, including the right to be informed about the types and reasons for the collection of personal data.

Under U.S. law, businesses established in other jurisdictions are subject to federal data protection requirements for all U.S. residents and to state data protection requirements. A “Safe Harbor” agreement was established in the 1990s to protect personal information stored by organizations in the United States or European Union. The agreement was ruled invalid by the EU’s top court in 2015, however, on the basis that U.S. data protection laws did not adequately protect consumers. The U.S. and EU have since been negotiating for a new agreement.

Along with the above requirements, both Canadian and U.S. anti-spam legislation requires companies sending electronic marketing material to allow consumers to opt-out from receiving such material. Both countries also have legislation to protect personal information held by federal government departments and agencies.

The GDPR Benchmark

The GDPR, which came into force in May 2018, represents the most comprehensive regime in the world for regulation of privacy and the flow of personal information. The requirements apply to personal data of any individual EU resident that is used by any person, group, company or government agency located anywhere in the world. GDPR applies to almost every type of personal information about an individual, including their name, address, bank details, social networking content, medical information and computer IP address.

Under the GDPR, there are two categories of data users:  “controllers” and “processors.” Data controllers are those collecting data from EU residents, and data processors are those processing data on behalf of a data controller. Both controllers and processors can be organizations that are using personal information of EU residents, whether they are located inside the EU or not. In most cases, if a Canadian or U.S. company has offices in an EU member-state, sells to or buys from an EU resident, tracks EU residents through their websites, or processes data that includes EU resident information on behalf of other businesses, GDPR requirements apply.

While the scope of information collection and processing is not as broadly defined in Canada as it is under the EU regime, Canada’s PIPEDA also applies to personal information that both private sector organizations collect in the course of commercial activities and that the federal government collects in connection with its work. While data pseudonymization and anonymization is an explicit component of GDPR, Canada’s Privacy Commissioner has issued guidelines encouraging organizations to destroy or anonymize information that is no longer necessary. GDPR goes even further in that it gives data subjects the right to object to the continued processing of their personal data.

Regarding the cross-jurisdictional applicability of privacy requirements, Canadian courts have found that a commercial activity under PIPEDA includes the relaying of bank transaction information into and out of Canada. Similarly, under U.S. jurisprudence, businesses established in other jurisdictions are subject to federal data protection laws for all U.S. residents as well as to state data protection laws based on the state of residence of the individual impacted.

GDPR has strict requirements for organizations to report to the supervisory authority within 72 hours of becoming aware of a data breach unless it is unlikely to result in risk to a person. The data subject has to be notified “without undue delay.” In Canada, as of January 2019, the federal government requires companies to report data breaches to the federal Privacy Commissioner and to notify affected individuals when there is a “real risk of significant harm.”

Under the U.S. Gramm-Leach-Bliley Act, financial institutions are required to promptly report data breaches to both the authorities and the individuals impacted where there is a risk of harm. At the state level, some states require breach reporting to the authorities under certain conditions, and all states require reporting of data breaches to individuals as soon as practically possible.

Under the Securities and Exchange Act, public companies are required to notify the SEC of material events like cyber incidents and registrants are required to submit conclusions on the effectiveness of their disclosure controls and procedures. Similar legislation in Canada requires notification of material events and submitting conclusions on the effectiveness of disclosure controls to Canadian securities regulators.

There are other aspects of PIPEDA and GDPR that are captured by U.S. law. For instance, under the Gramm-Leach-Bliley Act, financial organizations are required to designate someone to have responsibility for personal information protection. In addition, in Canada, the United States and Europe, businesses sharing personal information with a vendor are required to ensure the vendor has adequate security processes in place to safeguard that information.

Regulators in Canada have announced that they are looking at further revisions to Canadian privacy law to meet the higher standards in GDPR. Many U.S. state governments are also introducing changes. Given these trends—and despite the trade protectionist movements at play globally—companies will continue to be susceptible to the unlimited flow of information across borders and through their own business structures and systems. For these reasons, Canadian and American organizations must consider ways to make their processes and systems conform to the GDPR standards.

Components of a GRC Program for Privacy and Data Protection

As the framework for managing business governance, marketplace and legal risks, GRC management provides the strategic and operational structure for organizations to effectively deliver products or services. In the face of enhanced privacy regulation already in place in the EU and coming in other jurisdictions, legal, audit and technology leaders should have a privacy and data management program in place that establishes accountability and oversight of data throughout the organization. Many privacy regulators, such as the Canadian Privacy Commissioner and the EU Privacy Supervisor, either require or recommend that organizations have such a program.

The following steps can be taken to develop or improve a privacy and data management program that meets regulatory guidance:

1. Identify Compliance Requirements and Assess Risk Scope and Tolerance
Organizations should have a privacy program if they gather, process or store personal information either directly or through third parties for customers, employees or anyone else. Regulations apply from each jurisdiction where these activities occur. That includes countries where personal data is transferred to or from, where individuals access your website, where data is stored (including backups), and where third parties gather, process or store data on your behalf. Other data may be confidential to the organization and an inadvertent or deliberate release of that information without proper authorization, or a theft of confidential data, can result in significant financial harm. For publicly-traded companies, such a release can result in fines levied by securities regulators and devaluation of the company’s shares. To assess inherent risk and risk tolerance, consider the regulatory consequences of non-compliance and reduced revenue from damage to brand and reputation.

2. Assign and Establish Accountability Policies
Define and allocate responsibility for privacy and data security in all areas of the organization. This includes establishing the “tone from the top” with the appointment of individuals such as a chief privacy officer, chief compliance officer and/or a chief data security officer who have authority delegated from the board and the support of executives. The board should also establish a privacy policy, data security policy and code of conduct that define data accountability for all areas of the organization and for oversight of third-parties’ data users. Policies should also establish requirements for reporting to executives and the board on the activities of accountable individuals, including the results of monitoring and residual risk assessment of all processes and systems.

3. Adopt Privacy and Data Management Policies and Procedures
All privacy and data management program procedures should be documented and mapped with documentation available for training and for review by auditors and regulators. Regulators often receive complaints about organizations directly from members of the public and may request access to review policies and procedures in order to consider the validity of the complaint. Policies and procedures should address:

  • Data owner rights, including managing consent and withdrawal of consent, challenging accuracy, requesting copies of their data, submitting complaints, the removal of data when accounts are closed, and—if EU rules apply—the right to port data.

  • Data inventories for all paper and structured electronic records, including details of locations (and backup locations) such as where to find the data, who accesses and uses the data and for what purpose, and other information necessary to facilitate management of processes such as those related to data owner rights.

  • Third-party management, including clauses in contracts with third-parties who manage privacy data on your behalf that define data ownership (i.e., whether ownership stays with your organization or not), confidentiality, data destruction, data security standards for data at rest and in transmission, requirement to provide audit reports and/or a right to audit.

  • Data security requirements, including encrypting data at rest and when transmitted, using antivirus and antimalware software, conducting periodic penetration testing, monitoring system incidents, and adopting cybersecurity standards such as those issued by the National Institute of Standards and Technology. In addition, data security procedures should address physical security such as controlled access to buildings, clean desk procedures and restrictions on using company hardware for personal use.

4. Implement Breach and Incident Management Processes
Organizations should have processes in place to identify data breaches and attempted data breaches and to report such incidents to individuals in charge of managing privacy and data security who are responsible for communicating incidents to executives, regulators and anyone affected by a data breach. This includes breaches that occur at third parties. Any data breach can have a significant impact on an organization and should always be investigated thoroughly to gain an understanding of the data that may have been compromised, determine how the breach occurred and identify improvements that can be made to prevent further occurrences. All internal and external communications regarding data breaches must have input from those individuals with the delegated authority and responsibility for data management.

5. Monitor and Assess Residual Risk and Improve Controls
All processes and systems for managing data should be reviewed periodically by the privacy officer, data security officer, internal audit, and/or by specialist third-parties hired for this purpose. This includes reviewing complaints and whistleblower reports that may indicate process and system deficiencies. The results of such a review can then be used to measure residual risk and recommend control improvements to reduce residual risk to an acceptable level.

6. Develop a Privacy and Data Change Management and Communications Strategy
Enhanced privacy protection systems and processes may represent a significant shift for an organization, so the manner in which these changes are implemented and communicated to employees, customers and regulators will be vital to a smooth transition. Communicating policies and procedures to all employees is important for protecting the organization. Many data breaches and process deficiencies are caused because employees do not understand their roles or the consequences to the organization of failing to protect data.
Robert Merrick is principal of Toronto-based GRC Management Advisory Services and co-founder of the Canadian RegTech Association. Suzanne Ryan is a strategic advisor to GRC Management Advisory Services and former head of internal audit, regulatory compliance and other risk management functions for Canadian financial institutions.
Robert Merrick is principal of Toronto-based GRC Management Advisory Services and co-founder of the Canadian RegTech Association.
Suzanne Ryan is a strategic advisor to GRC Management Advisory Services and former head of internal audit, regulatory compliance and other risk management functions for Canadian financial institutions.