Important Data Privacy Legislation: Is Your Business Protected?
Although it’s important to ensure your organization is PIPEDA-compliant, it isn’t the only piece of legislation that could apply to you. GDPR, MFIPPA and PHIPA all have different privacy rules that may relate to the information your organization collects, uses and discloses.
Complying with all of these regulations may seem overwhelming, but Greentec is here to help simply the process when it comes to data disposal. When IT assets and electronic equipment reach their end-of-life, we can ensure all data is disposed of in a secure manner.
What is GDPR?
GDPR, or The General Data Protection Regulation, is a set of rules designed to give European Union citizens more agency in how organizations from all over the globe are allowed to use their personal data. Under the GDPR rules, EU citizens have the right to know exactly how their personal data is being processed and request that personal data be erased or that processing of their data be restricted, among many other things.
GDPR vs PIPEDA
You should already be PIPEDA compliant following the updates on November 1, 2018. The Personal Information Protection and Electronic Documents Act most notably states that organizations must obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
While PIPEDA sets regulations around collection, retention and use, allowing Canadians to discover what information companies hold about them, GDPR allows EU citizens to ask for that information in a machine-readable form to be taken somewhere else, making their data portable.
Perhaps the most significant difference between GDPR and PIPEDA is consent. Under PIPEDA consent is implied – a person can consent to an organization collecting information once but then that information can be used in a variety of diverse ways. Under GDPR, consent is no longer implied, it must be given for every single use of the data. This consent must be given freely and explicitly.
Impact on Canadian Business
Although GDPR rules are made to protect European citizens, it has had immediate ramifications on North American businesses as well. The GDPR directly affects anyone storing data about anyone in an EU member state, although the hardest hit will be those that hold and process large amounts of consumer data and firms whose business models rely on acquiring and using consumer data.
Complying with GDPR will require tools companies may not previously have had to collate all the data that they hold on an individual. As a business you have key responsibilities as a data controller. You must obtain explicit informed consent anytime you collect personal data.
Furthermore, you must have the programs and systems in place to have a detailed database of individuals who consented and the proof of their consent, a clear and viable means for individuals to withdraw their consent, have their information erased and/or access their data, and respond to data requests within 30 days.
You must also have safeguards in place to protect data – even after the electronic device is no longer in use. Greentec offers secure pickup and transportation of IT assets and electronic equipment, processing your electronic devices in our facility to provide the proof your data has been disposed of properly. We offer certified data erasure or certified shred, both options completely destroying data on devices and offering you options to recover value from your devices. Read more about what data destruction option is right for you needs in our post here.
The new regulations must be taken seriously as consequences for non-compliance can result in expensive fines. You can be on the hook for fines up to $20,000,000 EUR or 4% of your company’s total annual turnover of the previous year.
Other Legislation to Be Aware of for Your Business
MFIPPA (Municipal Freedom of Information and Protection of Privacy Act) is an Act that applies to local government institutions (such as school boards and police services). This Act outlines how these institutions are to protect personal information collected about the individuals they deal with as well as allowing these individuals to access municipal government information and any records containing their own personal information. Collection, use and disclosure is all dictated in this Act.
The Personal Health Information Protection Act (PHIPA) is a legislation that allows personal health information to be disclosed within the health sector. Employers and insurance providers who receive information from a custodian (health care practitioners and services) are only allowed to disclose information for authorized purposes. For example, an insurance provider is permitted to disclose personal health information to a health care practitioner to assist in providing an individual with care. Since PHIPA is similar to PIPEDA but applies specifically to health information, custodians in Ontario do not have to comply with both Acts. In limited situations, the GDPR may apply to health information custodians in Ontario.
How to Ensure Compliance with your IT Asset Disposition and E-Waste Recycling
Greentec is here to ensure that your organization stays compliant with data privacy legislation when your IT assets and electronic devices reach their end-of-life stage. Here’s how your organization can comply with PIPEDA 4.5.2 to reduce risk!