LEGAL
data processor or controller breaches one of its obligations,
that is governed by the lower tier. Breaching consumer rights
will likely be subject to the higher tier. These fines can be
debilitating, but these are maximum values and in reality, the
severity of the penalty will correspond with the seriousness of
the non-compliant act.
The best way to avoid fines is to become as GDPR compli-ant
as possible. That said, there may be some instances where
a Canadian business may find the cost of becoming GDPR
compliant disproportionate to the level of business it does in
the EU and may seek to avoid compliance altogether.
There are scenarios where non-compliance is arguably
a reasonable alternative. The risk of penalty would be
minimized if: The data is not sensitive; there is irregular
interaction with the data subject (the person whose data
is being collected); and interaction is passive as opposed
to active. For example, if a game developer collects ano-nymized
data about which colour a user prefers, a data
breach would have little real-world consequence. If a
European intermediary performs all data-subject interac-tion,
any penalty would seemingly be minimal under the
criteria used to determine the fine amount. Nonetheless,
the above would only be applicable to the data control-ler.
The GDPR is clear – regular data processing requires
compliance. If you are the data processor, you must
become compliant.
As this legislation is new, much remains up in the air. The
GDPR indicates that there will be “regular monitoring” to
ensure compliance. However, there is no clear definition of
what regular monitoring entails. Ultimately, for Canadian
businesses, the question of compliance becomes a business
decision pertaining to risk tolerance. Additionally, the pres-sure
to become compliant not only arises from the risk of
fines, but also from clients who may demand compliance or
move to competitors who are compliant; depending on the
services provided.
There may be significant insurance implications as well.
Canadian businesses must consider how much transacting
they do in the EU and the sensitivity of the data they deal with
in determining whether the European marketplace is worth
the cost of GDPR compliance or the risk of non-compliance.
The fines are based on global revenue, so the risk of non-compliance
is significant even if revenue from the EU is only
a fraction of the global total.
For large data processing companies such as Facebook
and Google, becoming GDPR compliant was a foregone
conclusion (and even they have already been subject to law-suits
alleging contravention of the GDPR). For Canadian
businesses that are or are considering operating in the EU,
it is not nearly as straightforward and will require a careful
weighing of the pros and cons.
Ranish Raveendrabose is an associate of Fillmore Riley LLP
who practises primarily in the areas of corporate and com-mercial
law as well as intellectual property law. You may reach
him at rraveendrabose@fillmoreriley.com or 204-957-8396. This
article originally appeared in Fillmore Riley LLP’s newsletter,
The Brief, and is reprinted here with permission.
COMPREHENSIVE DEEP
FOUNDATION SOLUTIONS
Fugro removes uncertainty in foundation construction
by establishing confidence, reliability, and efficiency
through advanced deep foundation analysis,
quality control and testing. We provide focused risk
management decisions through confirmed excavation
quality conditions, calibrated foundation designs,
and verified production foundations. We have a
comprehensive suite of testing services to validate
all types of foundation construction including O-Cell
load testing, RIM-Cell proof loading, Sonicaliper
excavation inspection, dynamic load testing, top-down
load testing, lateral load testing and thermal
integrity profiling and cross-hole sonic logging.
FUGRO LOADTEST
800 368 1138
info@loadtest.com
www.loadtest.com
PILING CANADA 55
/www.loadtest.com
link