DATA PRIVACY GOVERNANCE IN THE AGE OF GDPR: A surge of new data protection regulations is forcing Canadian and U.S. companies to reassess how they process and safeguard personal information.

• Author: Merrick, Robert
• Position: General Data Protection Regulation

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations.

Particularly in Canada and the United States, an unprecedented explosion of regulations has established new responsibilities for organizations to protect the personal information flowing through their operational ecosystems. Many are already actively looking inward at their governance, risk and compliance (GRC) management systems to address their personal information protection requirements. Despite the implementation of the European Union's General Data Protection Regulation (GDPR) and high-profile data breaches serving as a reminder of what is at stake, many organizations still need to take various steps to enhance their privacy and data governance.

In recent years, Canada and the United States have taken different approaches to the regulation of privacy and data, with the Canadian regime adopting stricter rules about the collection, use and storage of personal information.

In Canada, the federal Privacy Commissioner and various provincial privacy commissions have authority to oversee and investigate privacy matters. Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) broadly applies to protecting personal information collected, used and retained by private companies for commercial purposes. Similar legislation is in place for companies operating in the provinces of British Columbia, Alberta and Quebec. Federal and provincial privacy commissioners may jointly investigate privacy complaints and/or data breaches.

Canada's federal departments and agencies are subject to the Privacy Act. Each province has statutes relating to freedom of information and protection of personal information by government agencies. Separate statutes govern control of personal health information by provincial government organizations and by anyone with access to that information, such as doctors and nurses.

In the United Sates, privacy is supervised by the Federal Trade Commission, eight federal agencies and states that enforce the federal legislation. Although some regulations exist, there is generally no all-encompassing law regulating the acquisition, storage or use of personal data and there is no central data protection authority. For all intents, those that create and record data in some form are deemed to own the right to store and use it, even without consent to do so. There are certain exceptions to this with respect to federal laws that address certain categories of data, such as those relating to health insurance information (the Health Insurance Portability and Accountability Act), children's online privacy (the Children's Online Privacy Protection Act), and specific consumer rights (the Fair and Accurate Credit Transactions Act).

At the state level, several U.S. jurisdictions have recently proposed legislation to address how online businesses handle user information. For instance, California enacted legislation expected to come into force in 2020 that will give residents various privacy protections, including the right to be informed about the types and reasons for the collection of personal data.

...