Initially, Vancouver entrepreneur David MacLaren did it because he didn’t think he had much choice.
MacLaren’s cloud-based digital asset management company, MediaValet, had grown and spread around the world. With customers in Europe, he knew he had to comply with the European Union’s General Data Protection Regulations (GDPR) – the new global gold standard when it comes to privacy – or face the prospect of hefty fines.
It was a challenging process that took six months. But MacLaren says being among the first North American companies to become GDPR compliant has made a big difference. “It has attracted new customers, increased customer retention and overall grown our business. It has increased market share because it helped us win deals from other existing digital asset management providers."
In the wake of the Cambridge Analytica scandal and with the GDPR’s entry into force in May, privacy issues and ethical questions about what companies do with the data they collect have been in the spotlight.
In October, Apple CEO Tim Cook issued a call to action. He warned that privacy was a human right and the collection of huge amounts of personal information on individuals was hurting society.
“Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” Cook told an international gathering of privacy commissioners.
Cook praised the GDPR and called on the United States to follow Europe’s lead.
While California has adopted a consumer privacy act that is scheduled to go into effect in 2020, privacy laws in the U.S. are often weak or nonexistent.
Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs private businesses, and the Privacy Act, which spells out the rules for federal government departments, but neither has kept pace with changes in technology. With the GDPR now in effect, some experts are concerned Canada's privacy laws will soon no longer be considered equivalent to those in the EU, which could complicate life for Canadian companies doing business with European companies or customers.
Described as the world's strongest data protection rules, the GDPR sets out how the private information of European residents must be handled. It backs up those rules with the threat of stiff fines – up to €20 million or four per cent of a company's worldwide annual revenue for the previous year, whichever is higher.
Fines can be imposed on any company around the world that breaks those rules – even if it has no offices in Europe.
European officials told Reuters in October that there has been a 53 per cent increase over the past year in privacy complaints under the GDPR in France and Italy alone. They expect data protection authorities to soon begin levying fines.
European data protection authorities can also use order-making powers to enforce the new privacy rules.
[pullquote]“Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.”
-Tim Cook, CEO, Apple
[/pullquote]
For example, the United Kingdom’s Information Commissioner, Canadian Elizabeth Denham, has issued an order directing a British Columbian company involved in the Cambridge Analytica scandal to destroy all the personal information it collected on British citizens once B.C.’s information commissioner's office finishes its investigation into the scandal.
The GDPR's new rules are wide ranging.
One of its key provisions – privacy by design – actually originated in Canada, the brainchild of former Ontario privacy commissioner Ann Cavoukian. With privacy by design, privacy considerations are baked into systems from the start, not added as an afterthought.
Companies that have a data breach must notify affected customers within 72 hours of becoming aware of the breach. Businesses must ask people, using clear language, for consent to use their information. Individuals can withdraw that consent, and request access to information a company has regarding them. They can take their data with them if they switch to another company.
Among the other provisions is the right to be forgotten, which allows an individual to ask for information about them to be erased.
Canadian Privacy Commissioner Daniel Therrien says the GDPR is inspiring privacy policy in other countries.
"Should we apply the GDPR exactly in Canada? Not necessarily. I don't think so. We have a Canadian context. But there are many, many positive things in the GDPR."
Scott Smith, senior director of intellectual property and innovation policy for the Canadian Chamber of Commerce, says many large Canadian companies that operate internationally have already moved to comply with the GDPR.
However, he said many smaller companies don't yet realize that they may need to comply as well.
"You run an Airbnb. You have a European traveller who happens to be here. You keep their name, their address, their e-mail address and phone number – that's all personal information of an EU citizen. Theoretically, you need to be GDPR compliant."
The GDPR comes at a time when data and personal information have never been more valuable.
"I'd say it is paramount," says Smith. "Data is the way we are going to create new products, solve problems. Having timely, accurate and extensive data allows companies to understand their market, understand their customers, understand what their customers want and deliver it in ways that are more efficient and effective and convenient and lowers prices."
Elisa Henry, a partner with Borden, Ladner, Gervais, says that for many companies, data has become their main asset.
“If you don't properly take care of your data and you don't handle it properly, then you're putting your main assets at risk."
Being GDPR compliant is rapidly becoming an asset when it comes to sales and business deals, Henry adds.
"If you cannot say that these days and your business is relying heavily on processing personal information, then you're out of the game very quickly."
Chantal Bernier, who leads the privacy and cybersecurity practice at the law firm Dentons, says companies could also have difficulties exchanging data with European businesses if they aren't GDPR compliant.
"In the GDPR there is a mandatory requirement for any organization to only transfer data or to only hire a vendor that is GDPR compliant. So in addition to the competitive advantage with branding, there is a legal requirement that is a huge differentiator when you can put forward right away that you are GDPR compliant."
The cost of complying can vary widely, says Bernier. A small website selling products to Europe might be able to comply with the law for $50,000. A larger company that uses artificial intelligence, algorithms, a large amount of personal information, has European employees and sells services to Europe could end up spending hundreds of thousands of dollars to do everything necessary.
Cavoukian, who now leads the Privacy by Design Centre of Excellence at Ryerson University, says a lot of businesses have been coming to her for privacy by design certification that they can then tout to their customers.
Many of the provisions of the GDPR highlight ethical questions for businesses – even those who don't do business in Europe.
Among them, says Henry, is the use of artificial intelligence and entirely automated decision-making or profiling that affects individuals – something restricted under the GDPR.
"There are a lot of questions that as citizens we should be asking and ethics has to be embedded in privacy. They go hand in hand. And the GDPR suddenly played a big role in raising awareness about that."
In Europe, the new, tougher rules are being well received, she added. "People are more and more conscious and worried about surveillance, about monitoring of their behaviour, about automated decision-making."
Another ethical issue for business is the temptation, once you have a database chock full of personal information, to use it in a variety of ways.
Cavoukian says it is important to make privacy the default setting and not to use information you gather for any purpose other than the purpose for which it was collected.
"The beauty of doing that is that it builds trusted business relationships, which are lacking. There's a huge trust deficit," she says.
"So, I actually believe it gives businesses a competitive advantage and allows them to retain the customers they have, gain their loyalty and it attracts new opportunity."
MacLaren agrees.
He says the most challenging part of becoming GDPR compliant was reviewing all of the company's licensing agreements with their lawyer. That review and making sure all aspects of MediaValet’s operations complied with the GDPR cost “north of six figures.”
But MacLaren is glad he did it.
"In the end, if it's good for our customers and their users, it's good for us and our businesses."
Elizabeth Thompson is an award-winning journalist who has covered Canada's Parliament since 2001.
