Major changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are coming into law this fall. Now is the time for organizations to pay careful attention to their role in protecting the privacy of customers.
Over the course of this series, we have highlighted the most imperative amendments that will be taking effect on November 1st , 2018. Mandatory breach reporting, record keeping and Payment Card Industry Data Security compliance are the three practices that will have the most impact on organizations nationwide. Failure to comply in these areas could have adverse consequences as expressed in our second installment.
The world is demanding privacy protection and governments are responding, but where does this leave Canadian businesses?
Six Steps to Take to Prepare Your Business:
Step One: Become Fully Informed Of New Obligations
The most essential way to become prepared for compliance is to understand exactly what is changing, what the new requirements are and when these obligations will be underway. Once you have a strong understanding, it is time to implement policies and procedures within your organization that coincide with these amendments. Conduct a privacy law compliance audit before developing or reconstructing your data breach response plan.
Make sure that your staff is aware of what is changing and why it is important to align all procedures in accordance with the law. Everyone in your organization must understand his or her role in achieving and maintaining compliance. Let your staff know that they should ask questions to reinforce their comprehension as well as your own.
Step Two: Mitigate Third Party Contractor Risk
This step is forgotten all too frequently. However, it is an incredibly important requisite that could cause a lot of tribulation if overlooked.
In order to prepare for compliancy, an organization must review key third party contracts and determine if they include proper liability mechanisms. They should be accountable for enabling, monitoring, reporting and verifying their PIPEDA compliance.
All organizations that provide data processing services should certify that contracts with customers have wording that discusses personal information security breach obligations.
Step Three: Decrease Employee Error
Data breaches mostly occur because of employee error. It is true that sometimes breaches are vindictive. More often than not, they are caused by inadvertent neglect or error. These mistakes can be made worse when an organization does not have the proper protection strategies in place to handle such an instance.
Implementing a plan to avoid and handle data breaches is a proactive measure. Check in with employees to ensure they are being mindful of their duties. Some blunders can be avoided simply by increasing communication.
Step Four: Paper Trail
During the planning process and following compliance, a discoverable paper trail is paved for your organization. The materials created must be disclosed to the other party if a lawsuit is filed or other legal proceedings occur. This is important to note as you progress toward compliancy as it could benefit or mar you if future litigation arises.
Step Five: Protect your privilege
Lawsuits are increasingly popular in the United States and are on the uptick in Canada. The increased chances of lawsuits make it extremely urgent for organizations to make every effort to shield themselves. This means protecting their privacy gap analysis materials by legal privilege. Otherwise, those materials will be available to the Privacy Commissioner upon request during an investigation and they can be used against the organization in a civil lawsuit.
- Provide upfront information about what data will be collected, how it is used and who will have access to it
- Provide this information in a ‘layered’ presentation, allowing the individual to decide how much detail they want to glean about their data
- Design is important. Have fun creating interactive tools that are both eye-catching and intuitive
- Remember that, should an individual wish to withdraw consent at any time, you must stop any further collection, use or disclosure of their personal information
According to experts, the Government of Canada is making the right move by updating privacy laws and holding businesses to a higher standard of responsibility. Canada has been praised for following Europe’s doctrine and helping to raise the bar for privacy regulations across the globe.
Despite the positive aspects for users, the GDPR now governing the E.U. has been one of its most contested laws to date. It is yet to be determined how Canadian businesses themselves will be impacted under similar directives. The new rules dictate that organizations must track all security breaches involving personal information for two years. Meanwhile the controversial question of what really constitutes “real risk of significant harm” to breach-affected individuals looms on the periphery.
No matter the politics surrounding these new amendments, one thing is certain: compliancy cannot be taken lightly. The only real way to prevent liability is to stop data breaches from striking your business. Breach-reduction strategies should be action items on every Canadian business’s agenda.
There are only two months remaining to get ready for the PIPEDA amendments. Are you ready?