Businesses around the world are scrambling to prepare for the EU General Data Protection Regulation (GDPR), which comes into effect May 25, 2018. The GDPR will replace the Data Protection Directive, applying in EU Member States without the need for national implementing legislation.
The GDPR establishes onerous new requirements, including data portability and the right to be forgotten. It will also expand the scope of EU data protection law to cover more non-EU established businesses, and, unlike the Directive, will apply directly to “processors” that provide services to data controllers. Canadian service providers that process data about individuals in the EU on behalf of other companies may therefore be subject to a host of new requirements, including revised contracts with controllers and obligations imposed directly under the GDPR.
If you provide goods and services in the EU, or process personal data about individuals in the EU on behalf of other organizations, this issue of PrivacyScan will help you determine if the GDPR will apply, and, if so, the new requirements you will need to follow.