Antoine Guilmain spoke to TrackTik about the General Data Protection Regulation (GDPR) and how it will have an impact on businesses in Europe but also in North America.
Antoine Guilmain is an associate at Fasken’s Montreal office and a member of the Privacy and Information Protection Group. His practice areas are personal information protection, access to information, online advertising and marketing, cybersecurity, and new technologies. In particular, as a lawyer at the Paris Bar and holder of the CIPP/e certification, he assists many clients with their compliance processes under the GDPR. He also holds doctorate in information technology law from the Université de Montréal and the Université Paris 1 Panthéon-Sorbonne.
The General Data Protection Regulation is taking effect in May 2018. How does it differ from the old Data Protection Directive from the ’90s?
Antoine: The GDPR differs from the Directive in many ways, and I’m going to give you some examples. First, unlike the Directive, the GDPR is a binding legislative statute, which must be applied in its entirety across the EU. Second, the definition of personal data has been significantly extended. It includes, of course, person’s name, email addresses, phone numbers, etc, but also IP addresses, mobile device identifier, geo-location, bio-metric data, and so on. Third, the GDPR provides the individual with new rights, such as the well-known right to be forgotten, the right to data portability, and the right to not be subject to a decision based solely on profiling. Lastly, let’s not forget the provision dealing with mandatory breach notification and the concept of privacy by design, which are very important in this new piece of legislation.
Consent is a major part of the GDPR. What is the definition of consent? What is your advice for companies who have to comply with this definition?
Antoine: [Consent according to the GDPR] is defined as being “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by affirmative action, signifies an agreement to the processing of personal data relating to him or her”. Oof!
Beyond this conceptual definition, I would have two practical pieces of advice for companies. First, you do not always need consent as other lawful bases may apply; second, check your consent practices and your existing consent from the individual point of view. In other words, you should take a look at your own consent form to see if it is simple for you to understand and if there is a clear indication that you agree.
Is there controversy around the area of consent?
Antoine: The answer is yes; consent has to be explicit for sensible data. And so far, we do not know yet exactly what’s going to be the difference between the consent for normal personal data and what’s going to be the criteria for explicitness for sensible data. We are still waiting for guidance on this regard.
Do you think the GDPR will renew customers’ trust in businesses?
Antoine: Well, it’s difficult to predict the future but this is the very raison d’être of the GDPR. In this regard, if you look at the GDPR preamble, you can read that, and I quote, “the importance of creating the trust that will allow the digital economy to develop across the internal market”. That being said, I believe the need for trust in the protection of personal data concerns both the individual, but also and mainly, organizations.
What types of challenges do you foresee companies having to deal with? For example, there are some significant penalties if a company doesn’t comply.
Antoine: First I would like to start with a quote: when you have to eat an elephant, you eat the elephant one bite at a time. (I’ve never eaten any elephants but…). That being said, the first challenge for any company is to understand the GDPR’s scope of application. That’s the main question: Are you subject or not to the GDPR, especially for Canadian companies. If you are subject to the GDPR, the second challenge will be to embed and review your data protections strategy, in terms of data storage, data subject to request, data notification, and so on.
Finally, and I believe it’s the most important challenge, you need to have your team fully involved and committed to work together towards better data privacy practices. Really, it’s to have people interested and fully committed to the GDPR.
Was there a specific event that triggered the application of GDPR for non-EU companies?
Antoine: I suppose the European regulator had US companies particularly in mind. We are all aware of the difficulties with the Privacy Shield. So the question was, can we transfer safely personal data of Europeans in the US? I don’t think something specific happened that could explain such a modification in the regulation but definitely when they drafted the GDPR, they were taking in mind the fact that in other parts of the world, privacy is not as a concern as it is in the EU.
Do you think any companies, especially Canadian- or US-based companies with fewer clients in the EU, would rather leave than become compliant?
Antoine: It’s tough to say, because in the end it’s really managing your risk. That being said, and it’s what I say every time to my clients: the GDPR is much more than just legal compliance, it’s a business opportunity as well as a business imperative. The reason why is (…) if you fail to get data protection right, you are likely to damage your reputation, your customer relationship, and at the end of the day, your profitability. You should make the best out of the GDPR if you’re a company (…).
I believe privacy is a minor factor if you want to do business with someone. You won’t say “I don’t want to deal with you because it’s too difficult for me to comply with your standards”. I believe companies will really take this as an advantage (…).
When we look at, for instance, Canada, the US, but also Asia, no one is contesting the GDPR. Everyone is just trying to comply with it. There is lots of talk and discussion regarding it, but in the end, no one will say they don’t want to comply because they don’t want to do business with the EU, especially because the EU represents a huge amount of consumers.
With data protection laws being different in the US and Canada, some companies are segmenting their databases and treating data subjects in each country differently rather than having the same policies across the board. Do you think that companies will continue to apply different standards?
Antoine: We see many companies having different standards regarding the jurisdictions. I think it will stay like that for a couple of years and the reason why is because if you are a US company, and you are processing data from EU citizens in the US, it’s a lot of requirements and a lot of procedures in order to just be compliant with what’s happening in the EU. I believe in the future it will stay like that.
Do you think most companies have already started the process of complying with the GDPR?
Antoine: From what I have read, and according to some statistics, many companies are running late and they are realizing that it’s coming. It’s coming very soon in May. They are being scared right now. What I would tell them is: Yes, it’s coming in only a couple of weeks, but it’s possible to comply and what you need is a well-designed process. You won’t do it in only a week, but if you establish a plan, you can do it in a couple of months. It’s a long process, but at the end it could really create more business opportunities.
Where can companies go to learn more about the GDPR?
First thing I would do is to consult the documentation prepared by the European Commission and your local supervisory authority (if any). The ICO in the UK and the CNIL in France have produced very interesting documentation. Second step is to consult an attorney regarding this question: Are you subject or not to the GDPR? This is the first step and first challenge for any company based outside the EU.
Especially in Canada and in North America, [the GDPR] is completely of your concern even though it is happening in the EU. It’s the recurring comment I have from companies in Canada, who believe they are not subject to the GDPR, but what I am telling them is the scope of the GDPR is very new and very broad. I would tell them, even though it’s in the EU, it is of your concern.
For more information about the GDPR:
To learn more about GDPR check out TrackTik’s GDPR compliance page.