In celebration of Data Privacy Day, McCarthy Tétrault is pleased to launch the 2017 edition of our newly designed online Cybersecurity Risk Management Guide, to help clients manage data risks in a quickly evolving business environment.
Data Privacy Day, celebrated on January 28, 2017, is an opportunity for businesses to review privacy and data protection policies, and to consider taking steps to reduce operational and legal exposures that relate to the data being used and accumulated as part of business activity.
Data Privacy Day, or Data Protection Day in Europe, was originally initiated by the Council of Europe. Data Privacy Day occurs each year on January 28th, the day on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature.
The purpose of Data Privacy Day is to raise awareness to the importance of data protection and data privacy, to educate about data related risks, and to inform individuals and organizations on their rights and obligations in connection with their data.
Data Privacy Day is an opportunity to give special attention to the specific data issues of the business, whether through review of existing data protection and privacy policies, creating awareness to privacy among employees and vendors, improving existing cybersecurity systems, or through the mitigation of data and privacy legal exposures.
Importance for Businesses
For businesses, there are many ways in which protection of data is a critical part of operations, including: compliance with applicable data protection laws and regulations; prevention of, and preparation for, data breaches; addressing rights of individuals whose data is held by the business; and managing exposure to legal actions in connection with data.
Key issues to consider, in this regard:
- The Digital Privacy Act: the Digital Privacy Act, passed into law on June 18, 2015, introduced requirements with respect to the requisite consent by individuals prior to collection of personal information, notification and reporting obligations in the event of data breach (not yet in force, pending approval of regulations), and fines of up to $100,000 per violation of these requirements. These requirements apply to any business which handles personal information in the course of its activity. In addition, under the Digital Privacy Act, the Privacy Commissioner of Canada may make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties.
- EU Requirements: Canadian businesses that collect personal information of residents of the EU, may be caught by the EU Data Protection Directive. Adding to the complexity, the General Data Protection Regulation (GDPR) is set to overhaul the EU Data Protection Directive when it comes into force in the spring of 2018. The GDPR will impose significant new obligations on data processors including record keeping, data security, and breach notification obligations. Canadian businesses which offer (including through websites) goods and services to individuals in the EU, or who track user behavior of individuals in the EU, should consider compliance with the GDPR, especially in view of potential fines of up to € 20 M or 4% of annual global revenues.
- Corporate Governance: the protection of privacy and data raises issues of corporate governance and exposure to legal actions by individuals and corporations (including class actions). Businesses should examine their data protection policies in view of best practices in the industry in which the business operates. In some cases, the relevant best practice applies through mandatory requirements that are applicable to certain types of businesses, or to businesses in certain jurisdictions (for examples, see mutual funds, public corporations and investment bodies).
McCarthy Tétrault’s Leadership in Privacy and Data Management
McCarthy Tétrault’s Cybersecurity, Privacy and Data Management Group is at the forefront of data protection and data incident response. We regularly advise clients from all industries, including energy, resources, power, banking, insurance, health, technology and retail. We have been lead counsel on numerous key public and private cybersecurity responses. We offer a seamless, integrated response through our close partnerships with insurers, IT forensics firms, PR firms and others.
We work with our clients on developing strategies and policies for compliance with applicable requirements, prevention of data breaches, and readiness and response to a breach. Our legal solutions and strategies are designed to drive value while mitigating risk. Whether it is Big Data, data analytics, FinTech, connected vehicles, we have done it.
Our recent acquisition of Wortzman’s, one of Canada’s most respected e-discovery firms, solidifies McCarthys as a leader in meeting its client’s needs in e-discovery, information governance and technology strategy. McCarthy Tétrault’s Information Technology group is ranked Band 1 on Chambers Canada, and we are the only firm in Canada to have more than one lawyer ranked in the area of Privacy & Data Protection.