The European Union’s General Data Protection Regulation (GDPR) will come into force May 25, 2018, potentially creating new obligations for Canadian businesses that handle the personal information of individuals in Europe.
Canadian organizations may need to comply with the GDPR if they:
- Have an establishment in the EU; or
- Are located outside the EU but either “offer goods or services” to or “monitor the behaviour” of individuals in the EU.
While the GDPR and Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), share a number of core tenets, they are different laws. The Office of the Privacy Commissioner of Canada is not responsible for enforcing compliance with the GDPR.
The European Commission website offers information to help businesses comply with GDPR requirements. The Article 29 Data Protection Working Party has also developed a fact sheet. While this fact sheet was developed for Asia Pacific Privacy Authorities, it offers information and advice that Canadian businesses may find helpful.
For a Summary of Privacy Laws in Canada visit https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/