First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Understanding the differences between GDPR, CCPA, and PIPEDA – a guide for Canadian businesses

privacy

Gone are days of unregulated and untethered data gathering. With the rolling out of the California Consumer Privacy Act, Canadian businesses are now finding themselves navigating a sea awash with a patchwork of extraterritorial legislation. The laws are sometimes inconsistent, often vague, and certainly confusing. It has therefore become critical that companies understand their obligations under each of these major regimes, and to delineate the nuanced details between them. Failure to do so may result is severe fines.

In light of this, I have created a quick reference guide for companies looking to better understand their legal obligations under GDPR, CCPA, and PIPEPA.

IssuePIPEDAGDPRCCPA
Does each law apply to my business?PIPEDA applies to private sector organizations that collect, use, or disclosure personal information during the course of commercial activity. Notably, this applies to small businesses, and some non profits and charities that may be considered as conducting “commercial activity”.

Applies to processing of personal data by all organizations (Canadian ones too) that are established in the EU, regardless of where data processing occurs. Equally, to organizations that control or processes data with regard to the offering of goods or services, or monitoring the behaviour of EU residents for advertising.

For-profit companies engaging consumers and households in California. The for-profit companies must have at least $25 million in annual revenue must comply with the law. And companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data.

Who is protected by the legislation?A natural person. Does not have to be a citizen, or a resident of a specific province.

Natural persons resident in the EU, or EU citizens.

Consumers resident in California, if they are natural persons.

Are employees protected?Generally, not.

Generally, yes.

Limited application, however this may change.

What kind of information is protected?Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.

Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.

Personal information that could identify a consumer or household.

In what ways is information safeguarded?Information must be protected in accordance its sensitivity, and in light of developing risks.

Taking into account current day technologies, risks, and severities, appropriate technical and organisational measures.

No explicit requirements, however, expect to take appropriate measures.

Notification requirements in event of a breachIn the event that a real risk of significant harm is posed to the individual(RROSH test) as soon as feasible.

Where possible, within 72 hours, unless of an unlikely risk to the rights and freedoms of natural persons.

There are different requirements based on the nature of the businesses. Generally breach individuals must be notified very quickly.

Note, notification with the CCPA is triggered by several events, not just a breach. This includes selling of data, and transfer of data during a merger.

Potential PenaltiesUp to 100,000 Canadian Dollars.

Up to 20,000,000 euro, or up to 4% of annual worldwide turnover of the preceding financial year.

$100 to $750 per consumer per incident, or actual damages, whichever is greater.

There are also civil penalties.

As this chart demonstrates, there are several differences between PIPEDA, GDPR and CCPA. Some differences are slight, while others are more obvious. In any case, businesses need not only be aware of their privacy obligations but also take proactive measures to ensure compliance. This means working hand in hand with your IT team to understand where your servers are, what kind of information your business is processing, and what kind of security measures are put in place. It also means making sure your business is working together with competent legal counsel that understands the peculiarities of each law.

By Michael Weinberger, Siskinds

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.