August 10, 2018 by Greg Meckbach
New privacy rights for Europeans have changed the way a Canadian multinational business software provider looks at its liability risk.
The European General Data Protection Regulation (GDPR) took effect May 25 and makes it mandatory for companies to disclose data breaches.
GDPR has placed a number of new obligations on Open Text Corporation, a Waterloo, Ont.-based company that sells a variety of business software products, including applications intended to make it easier for firms to manage their computerized documents on customers and employees. Open Text employs 12,200 people and reported revenues of $2.8 billion during the year ending June 30, 2018. The company has operations around the world, including in the United States, India, Germany and Britain.
In its management discussion and analysis of its financial results for the year ending June 30, Open Text referred generally to the impact of “new mechanisms for obtaining consent from data subjects, new controls for data subjects with respect to their personal data [for example, enabling people to erase their data or transfer it elsewhere], and limitations on retention of personal data and mandatory data breach notifications. Privacy-related claims or lawsuits initiated by governmental bodies, customers or other third parties, whether meritorious or not, could be time-consuming, result in costly regulatory proceedings, litigation, penalties and fines, or require us to change our business practices, sometimes in expensive ways.”
Open Text is simply a representative case study of what risk managers in other Canadian companies will be encountering, industry analysts say. GDPR “should be top of mind” for Canadian risk managers, whether or not they actually have operations in Europe, Terri Mason, assistant vice president for cyber and professional liability at CNA Canada, told Canadian Underwriter earlier.
GDPR gives citizens of the European Union’s 28 member states certain rights, including an entitlement to have their personally identifiable information deleted when it is “no longer necessary in relation to the purposes” for which it was collected.
Privacy laws constantly evolve, as foreign governments and regulators continue to adopt new measures to address data privacy and processing (including collection, storage, transfer, disposal and use) of personal data, Open Text said in its M&DA. “It is possible that such laws and regulations may be interpreted or applied in a manner that is inconsistent with our existing data management practices or the features of our products and services.”