GDPR, PIPEDA, and PCI: How These Privacy Regulations Will Affect Your Canadian Business
Not many busy Internet users have (or take) the time to read through lengthy terms of agreement documents – they just click the “agree” box and continue with the app, business, or site they want to access and use.
The GDPR will change that approach, by giving European Union citizens the right to clearly and explicitly opt into having their data collected and used by a company on the web.
The GDPR has expanded its extra-territorial applications and, effective May 25, 2018, will apply significantly higher penalties for non-compliance. 1
What does the GDPR mean to Canadians?
2017 brought an overwhelming increase in high-profile data breaches over 2016 in both Canada and the United States. Consequently, privacy legislation is a priority for North American organizations this year.
As cybersecurity issues, data collection and data breaches increase, significantly tighter legislation follows and it can be a challenge for businesses to keep up.
All organizations, even those that don’t collect vast amounts of personal information, need to be aware of the legislative requirements, because their collection and retention of employee information are subject to the same regulations.
Companies that ignore GDPR compliance can have the following sanctions imposed:
- A warning in writing in cases of first and non-intentional noncompliance
- Regular periodic data protection audits
- A fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6
- the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43
- the obligations of the certification body pursuant to Articles 42 and 43
- the obligations of the monitoring body pursuant to Article 41(4)
- A fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4
- the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9
- the data subjects’ rights pursuant to Articles 12 to 22
- the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49
- any obligations pursuant to member state law adopted under Chapter IX
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)2
Steve Weeks, President of Netcetera advises:
“To limit your liability, you should be able to demonstrate that your business is taking all reasonable steps to comply with the regulations. Ensure also, that you have implemented basic security procedures and measures to meet the GDPR requirements.
- You have a properly configured commercial grade firewall and it’s up to date
- You are only collecting basic and necessary business data and it is encrypted
- You have posted your opt-in opt-out policies
- You can demonstrate that you are following those policies”
Personal Information and Electronic Documents Act (PIPEDA)
Many applications of the GDPR are already familiar to Canadians under the Personal Information and Electronic Documents Act (PIPEDA), which regulate how businesses can collect, use, and disclose personal information gathered in the process of doing business. PIPEDA ensures the protection of personal information collected through interprovincial and international transactions such as global Internet sales.
There are, however new, or enhanced requirements to PIPEDA, under the GDPR, that Canadians should be aware of.
Amendments to PIPEDA to be enforced November 1, 2018:
PIPEDA applies to most private-sector organizations conducting commercial activities throughout most of Canada, however Quebec, BC, and Alberta apply their own substantially similar privacy laws.3
What is changing?
Amendments to PIPEDA that were made under the Digital Privacy Act in 2015 include mandatory breach reporting and record keeping. These amendments will be enforced on November 1, 2018.
Mandatory breach reporting will require organizations to notify individuals (unless prohibited by law) and report to the Commissioner4 all breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.”
PIPEDA defines “significant harm” as including, among other harms, humiliation, damage to reputation or relationships, and identity theft. A “real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.5
Changes to PIPEDA will also require organizations to keep and maintain a record of every breach of safeguards involving personal information under their control.
Organizations must be prepared to take their breach notification obligations seriously as a knowing failure to comply with the breach reporting requirements could result in fines of up to $100,000.
The government of Canada publication, Breach of Security Safeguards Regulations, (September 2017)6 provides greater detail on mandatory breach reporting and record-keeping.
Payment Card Industry
Data Security Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period.7
Merchant levels as defined by Visa
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
* Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
How To Meet the PCI Standards:
Complete these two basic steps:
- Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard “Qualified (Approved) Independent Scan Vendor.” Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.
- Successfully complete a security self-assessment questionnaire that asks specific questions about your internal security practices, both on your web site and in your office.
The experts at Netcetera understand the necessity of and the process for making your business secure and compliant. Contact us today to help your organization meet regulatory standards for GDPR, PIPEDA, and PCI DSS.