Comparing GDPR and PIPA Data Collection Compliance Standards
Everything you need to know about upholding local and international data collection compliance
Technological innovation has made it easier than ever before for professionals to do business at home and around the world. However, this innovation has come with an increased risk to data security – particularly, consumer personal information. In order to better protect consumer data, countless local and international regulatory bodies have implemented rigid standards regarding the collection, storing, and sharing of personal identifiable information (PIN).
Two of the most recent developments in the regulation of personal data collection comes in the form of the General Data Protection Regulation (GDPR) from the EU and the Personal Information Protection Act (PIPA) from British Columbia’s provincial government. While BC businesses may think they only have to worry about PIPA regulations, all BC entities that collect, store, and share personal information from European consumers are on the hook for GDPR compliance too.
With both of these regulatory frameworks to think about, BC businesses are often left scrambling to understand the difference and grasp what compliance regulations they’re responsible for. That’s why we thought it was a perfect time to break down the specifics of these regulatory frameworks to help business professionals of all kinds better understand what’s expected of them. Read on to better understand the difference between GDPR and PIPA regulations and get an idea what’s expected of you and your organization, locally and internationally.
Basic Breakdown: Defining the Nature & Scope of the GDPR & PIPA
- General Data Protection Regulation (GDPR)
Simply put, the GDPR is a new set of regulatory standards that seek to protect the personal data and privacy of citizens in the EU. The GDPR officially took effect in May 2018 and came as a replacement for the EU’s 1995 Data Protection Directive. These regulations aim to better protect EU citizens conducting business locally and internationally. The GDPR sets wide-reaching standards that help to ensure citizen personal identification information (PIN) is protected across all business and commerce interactions.
While it may seem like regulatory standards set out by the EU wouldn’t impact Canadian or US professionals – think again. As mentioned, the internet has made it possible for companies to do business across international borders. This means any international businesses who collect or store client data from the EU must remain compliant with these regulations.
Here is the basic regulatory scope of the EU’s GDPR:
- Companies must obtain consent for data processing with all subjects
- Companies must anonymize collected data to protect privacy
- Data transfers that take place across borders must be handled safely
This is only a brief outline of what’s required of businesses under GDPR. In order to be fully informed, business owners should take the time to explore GDPR mandates completely. By understanding the ins and outs of what’s required and the potential penalties, strategies for compliance will be much easier to implement.
For a full rundown on the GDPR, check out this comprehensive guide.
- Personal Information Protection Act (PIPA)
The Personal Information Protection Act (PIPA) was originally enacted in 2003 by the British Colombia provincial government. The act is designed to regulate data security in the private sector, maintain high data security standards to protect BC consumers and hold BC private entities accountable. PIPA outlines how all private sector organizations are to handle the personal information of both its employees and customers.
PIPA offers a common-sense framework that outlines rules about collecting, using, and disclosing any kind of personally identifiable information (PIN). PIPA seeks to help professionals remain compliant while balancing individual rights to data privacy and the reasonable need of private sector organizations to collect, store, and share personal data as required.
Here is the basic regulatory scope of BC’s PIPA:
- Protecting the personal data of BC consumers and employees.
- Mandating private entities in BC to proactively protect PIN.
- Upholding the rights of individuals to be actively involved in the collection, storage, disclosure, and protection of their PIN.
Again, this is only a brief outline of what’s required of BC private entities under PIPA regulations. In order to be fully informed, business owners should take the time to explore PIPA mandates completely. By understanding the ins and outs of what’s required and the potential penalties, strategies for compliance will be much easier to implement.
For a full rundown on the PIPA, check out this comprehensive guide.
Getting Down to Details: In-Depth GDPR vs. PIPA Comparisons by Category
Now that we’ve explained the basic definitions of GDPR and PIPA regulations, we think it’s time to get a little more detailed. By comparing the two regulatory frameworks in a variety of critical categories, you and your team will be able to better understand the differences and similarities between the mandates. Further, by understanding what’s required under each framework, you’ll be able to better develop strategies and policies for compliance with both.
Check out the top five categories for comparison below:
- Defining “Personal Information”
Since both of these compliance frameworks are designed to protect personal information, it’s helpful to develop a comprehensive understanding of how each piece of legislation defines personal information.
The GDPR has a very broad definitional scope of personal information. Under the GDPR framework, personal data is defined as any information relating to an identified or identifiable person – a person who is often referred to as a data subject. This includes any kind of personally identifiable information including: names, identification numbers, location data, online identifiers like IP addresses, or any kind of data that could reveal the physical, physiological, genetic, mental, economic, cultural, or social identity of the person in question.
Additionally, the GDPR outlines special categories of personal data that is considered particularly sensitive. This highly sensitive data is any information that reveals any kind of racial or ethnic details, religious, political, or philosophical beliefs, trade-union membership details, data concerning health, personal relationships, gender, sexual orientation or genetic data and biometrics. The GDPR outlines specific restrictions for protecting this especially sensitive data and prohibits it from being processed when not absolutely necessary.
The PIPA defines personal information as anything that can identify an individual. This includes names, addresses, phone numbers, social insurance numbers, date of birth, financial details. It also includes any personally identifiable information like physical descriptions, educational or employment data, or health information like blood type. The PIPA does not have a separate definition for highly sensitive or especially personal data like the GDPR.
The PIPA allows this personal information to be collected, used, or disclosed for what is deemed ‘reasonable purposes.’ Reasonable is defined as what a reasonable person would think is appropriate in any given situation. Defining and determining what is considered reasonable will depend on a variety of factors including: the kind of data collected, the amount of data collected, how the information is to be used, and where or to whom the data is to be disclosed.
- Understanding the Rights of Subjects
Next, it’s critical to understand the rights of data subjects that are set out by both the GDPR and the PIPA regulatory frameworks. This section will help you better understand the rights of your clients, employees and any other individuals that you collect personal data from.
The GDPR outlines a broad variety of rights for data subjects to ensure they have an active voice in the protection of their own data. Under the GDPR, data subjects have the following rights:
- Right to be informed when, why, and how data is collected.
- Right to access their personal data stores as required.
- Right to correct any incorrect personal data that has been collected.
- Right to erase any of their collected personal data.
- Right to understand data storage and portability processes.
- Right to object data collection and processing.
- Right to access the logic behind automated decision making.
The PIPA data subject rights are not as extensive or broad as those outlined under the GDPR. However, PIPA subjects are entitled to the following data protection rights:
- Right to access the personal data a given organization or business has collected on them
- Right to insist that incorrect or incomplete personal data be corrected.
- Breach Notification Protocols
Both the GDPR and the PIPA set out strict regulations regarding the responsibilities of business entities in the case of data breach. When data security is breached, organizations are subject specific to notification requirements.
Under the GDPR, individuals affected by a data breach must be notified by the breached organization within 72 hours of breach discovery. Breaches that impact the rights and freedoms of individuals require immediate notification without any kind of undue delay. The notification must include:
- Full details of the breach,
- The approximate number of individuals affected,
- Potential consequences of the breach, and
- Ways to mitigate any of these potentially harmful consequences.
The PIPA does not have explicit data breach notification requirements. However, in the case of breach, PIPA organizations may be required to notify affected individuals in order to satisfy more broad compliance and protection regulations set out in other sections.
- Proactive Compliance Requirements
In terms of maintaining both GDPR and PIPA compliance, covered entities are required to make an explicit and concentrated effort to proactively protect data security and uphold compliance. This means that both the GDPR and the PIPA frameworks outline a variety of proactive security measures that organizations can implement to maintain compliance and protection.
The GDPR requires that covered entities implement a variety of technical and procedural measures to demonstrate a proactive approach to data security compliance. The GDPR requires organizations to explicitly demonstrate that they have made proactive efforts to uphold secure data governance by:
- Implementing privacy impact assessments
- Conducting regular data security audits
- Drafting policy and procedure reviews
- Taking frequent activity reports
- Appointing a designated Data Protection Officer to oversee compliance management
Under the PIPA framework, covered entities must also make a reasonable effort to proactively protect the personal information they collect, store, and transmit. While the suggestions aren’t made explicitly under PIPA, it is recommended that covered entities undertake privacy impact assessments, regular audits, and policy and procedural reviews similar to those detailed under the GDPR.
Additionally, PIPA also requires that organizations designate a single person or an internal team to manage and effectively implement PIPA compliance. Further, the identity and contact information of this data protection officer should be publicly accessible so that questions and concerns can be directed appropriately as needed.
Penalties for Non-Compliance
Another very important area to consider when reviewing GDPR and PIPA regulations is the potential consequences for non-compliance. The regulations set out by each framework have their own set of corresponding financial penalties that covered entities should be keenly aware of.
Organizations that are non-compliant with GDPR regulations could face very significant fines. In terms of compliance penalty, the GDPR sets out two broad tiers of sanctions. Most serious infringements can result in fines up to $20 million or 4% of an entity annual turnover. These serious fines apply to the following areas of compliance:
- Basic data processing & collection consent
- The rights of data subjects
- International data transfers
The second penalty tier can result in administrative fines of up to $10 000 or 2% of an entity annual turnover. These smaller fines are related to the following areas of compliance:
- Breach notification obligations
- Certification obligations
- Monitoring obligations.
Finally, the GDPR also details explicit permission for public interest organizations to bring class action lawsuits against non-compliant entities on behalf of individuals for data breaches that impede upon their rights.
Penalties for PIPA non-compliance aren’t as extensive or detailed as the GDPR, however, covered entities are still subject to potentially impactful fines. Under PIPA regulations, individuals can be fined up to $10 000 for non-compliance and organizations can be liable for up to $100 000 for non-compliance.
Strategies for Compliance: How Can Your BC Organization Stay GDPR & PIPA Compliant?
So, now that we’ve laid out the basic parameters of both the GDPR and the PIPA compliance frameworks, you’re probably wondering – how in the world do I go about ensuring my organization remains compliant with both?
The reality is, the only way to remain compliant is to remain informed. Using this guide as a starting point, ensure you and your team understand what’s required of you under each regulatory framework. Ensuring that you know the data security requirements required of your organization – on both the provincial and international level – will help you make sure that the personal data you collect remains secure and compliant.
Simply put, the GDPR offers broader and more extensive data security requirements than PIPA – so, if you commit yourself to stay complaint with these international regulations, you’ll be compliant with PIPA’s more limited and vague regulations as well. However, it’s recommended that you get to know both frameworks as well as possible to ensure your compliance effort is as comprehensive as possible.
When in doubt, don’t hesitate to reach out to an experienced IT consultant for guidance and strategic assistance. The right IT professionals will have experience implementing compliant and secure network infrastructure for businesses of all sizes. A strategic IT consultant will have their finger on the pulse of the continually evolving regulatory standards that your organization should consider and will help streamline and supplement your compliance effort.
Did you find this article informative? We’re happy to help! If you liked this, check out these other articles we think you’ll love: