Does the GDPR apply to your BC-based organization?

You probably noticed a flurry of emails in your inbox over the past few weeks, as everything from social media apps to your email provider to your fridge rush to send you privacy policy updates. Why now, you ask? Well, it has to do with a new privacy law called the GDPR.

So what is this ominous GDPR and how does it apply to BC-based organizations?

On May 25, the General Data Protection Regulation (GDPR) came into effect in Europe, imposing strict regulations on organizations that process personal information. These regulations generally apply to EU-based organizations, but may also apply to some BC-based organizations.

What about BC privacy laws? Do they still apply? Yes, BC’s Personal Information Protection Act (PIPA) still applies to any private sector organization that collects, uses, and discloses the personal information of individuals in BC. In some cases, organizations must ensure compliance with both the GDPR and PIPA.

Does the GDPR apply to you?

The first step is to determine if your organization is subject to the GDPR:

GDPR flowchart.jpg

It looks like the GDPR applies to my organization. Now what? 

If your organization is subject to the GDPR, you may need to update your privacy policies. The good news is the scope of both privacy regulations remains the same, along with the definition of personal information and data. However, the GDPR differs on consent, individual rights, and protective action, so review the requirements and create an action plan for completing the necessary privacy updates.

GDPR responsibilities.jpg

What happens if you only comply with PIPA?

The GDPR has stricter sanctions than PIPA. A serious infringement means you could face a fine of up to 20 million euros or four percent of your organization’s annual worldwide turnover. A lesser infringement can still result in a fine of up to 10 million euros or two percent of your organization’s annual worldwide turnover.

Take our advice.

So, if the GDPR applies to your organization, you probably have some work to do. Contact our office for guidance at oipc.bc.ca. The Information Commissioner’s Office in the United Kingdom is also a great resource (ico.org.uk).

The GDPR represents the current global standard for data protection regulation and provides an opportunity to strengthen your organization’s data protection practices. To learn more about how to comply with both PIPA and the GDPR, download our Guidance Document: Compliance with PIPA and the GDPR

[Tag] Blog