General Data Protection Regulation
The General Data Protection Regulation (GPDR) is a global regulation that may impact Canadian organizations processing personal information from European residents. This includes Canadian organizations doing business in the European Economic Area through physical or virtual presence.
What EY can do for you
The General Data Protection Regulation (GPDR) is a global game changer. No organization storing or processing the personal data of EU residents can afford to be complacent, regardless of its location or current privacy maturity level. Canadian organizations that process personal information of European residents could be impacted by this regulation. This includes Canadian organizations doing business in the European Economic Area through physical or virtual presence.
- Organizations have only 72 hours to report data breaches.
- Privacy-by-design principles must be incorporated into the development of new processes and technologies.
- Explicit and affirmative consent is required before processing personal data.
- Many organizations are required to designate a data protection officer.
- Organizations must maintain records of processing activities.
- Organizations need to scale security measures based on privacy risks.
- International transfers are subject to specific requirements and mechanisms.
- Organizations report to one data protection authority.
Although the GDPR brings a welcome harmonization of fragmented data protection laws across EU member states, its wide-reaching impact and stringent rules require a fundamental organizational shift, even for businesses that are compliant with existing legislation.
When the steep financial penalties for noncompliance and data losses are added to the cost of reputational damage, sanctions, remediation and the potential impact on digital transformation, the risk of inaction is clear.
There is also the opportunity for your organization to take a strategic approach to privacy. In addition to the need to comply with regulations in other jurisdictions depending on their operational scope, Canadian organizations need to consider the expected transformations in the country as a result of the potential enactment of the Consumer Privacy Protection Act and other laws at the federal and provincial levels. This is the time to define an effective privacy program to successfully support the adequate, responsible and effective use of data.
Our risk-based, multidisciplinary approach targets privacy investment where it matters most for regulatory compliance and competitive advantage. Drawing on our extensive privacy knowledge and proven tools and methodologies, we can help identify your highest risks and design and execute a tailored roadmap for compliance and beyond.
Our latest thinking
Like what you’ve seen? Get in touch to learn more.