If you use computer software or websites, you probably have heard of the EU General Data Protection Regulation (GDPR.) It seems that everyone is gearing up to be compliant by May 25, 2018.
The GDRP is based on seven key principles. These are:
- Lawful, fair and transparent processing,
- Purpose limitation,
- Data Minimization,
- Accurate and up-to-date processing,
- Limitation of storage in the form that permits identification,
- Confidential and secure, and
- Accountability and liability.
For the most part, I have always worked towards compliance with this regulation, but I will not be compliant on May 25, 2018. I will point out that I am not required to be compliant as I do not work explicitly with EU citizens. My work is with Canadian resident individuals/businesses and individuals/businesses who have Canadian tax implications.
Compliance with all but the final principle is currently in place. In order to be compliant with the accountability and liability principle, I am required to be able to remove client data. Under Canadian laws and regulations, I am required to keep that same data for audit by the government. While I can move client information to an inactive state, I can’t remove it. This is the extent that I can be compliant.
If a EU citizen wishes to use my services, they must be aware that, during a conflict between the Canadian requirement to retain the information and the EU requirement to permit someone “to be forgotten,” I must remain compliant with the Canadian requirements.
For the above reason(s), I must regretfully decline full compliance with GDPR.