Did you know that, when and if Bill C-27 passes, that the financial impact for severe infractions goes up by 250x, to a maximum penalty of $25M CAD or 5% of the organization’s revenue, whichever is GREATER?!
Did you also know that Canada’s Anti-Spam Legislation (CASL) is amongst the most stringent in the world? The legislation has helped to reduce spam since its inception in 2014 and has caused companies to be more disciplined in managing their electronic marketing campaigns, especially with the threat of penalties and fines of up to $1M for individuals and up to $10M for organizations.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy legislation for private-sector organizations engaged in commercial transactions and for employees of FWUBs (federal works, undertakings, or businesses). And although some provinces (British Columbia, Alberta, Quebec) have their own provincial privacy laws that are deemed substantially similar to PIPEDA, PIPEDA still applies when and if a company transmits personal information across provincial or national borders.
So what is “personal information” and what’s all the concern about?
“Personal Information” can be defined as information about an identifiable information or information that can be used to identify an individual. So, we’re talking about identifiers such as name, phone number, email address, home address, date of birth, social insurance number, and so forth; not to mention health and biometric data (voiceprint, fingerprint, etc.), banking information, ethnicity and nationality and sexual preference. And, it doesn’t end there, but I think you get the idea.
Now, more than ever, data is everywhere and it has become really difficult to track all the places we’ve shared personal information and identify who (or what institution) has and is using our information.
Did you know that over the past ten years, some very recognizable brands – Amazon, CapitalOne, Equifax, Home Depot, Instagram, TikTok, Meta (Facebook), T-Mobile, Uber, and Morgan Stanley (to name a few) – have all been fined over $100M for data breaches or non-compliance with privacy legislation?
As a business leader, or business owner, do these threats keep you up at night, or do you have a sufficient privacy program in place in your organization so you can sleep peacefully?
In a 2022-2023 survey, 93% of Canadians expressed concern regarding their protection of privacy.
Canadians are equally concerned about identify theft and, rightly so, in this day and age where identify theft can all be done remotely with a mobile phone and an internet connection.
In response to this, Canadian privacy legislation is becoming more and more strict about what personal information organizations can collect and use.
Organizations need to identify, in advance, how they intend to use personal information they collect, and notify individuals at or before the time it is collected.
Organizations also need to identify an individual in their organization who is responsible for designing and implementing practices to comply with privacy legislation. This includes identifying and documenting the following:
- what personal information is being collected (list all fields)
- what is the specific use/purpose for each piece of personal information
- how is the organization obtaining consent from the individual to collect, use, or disclose their personal information (verbal/written, expressed/implied)
- whether or not an individual’s personal information will be disclosed outside of the organization (i.e., to third parties, vendors, partners, cloud-service providers, etc.)
- in what jurisdictions is the personal information being stored (which provinces and/or countries)
- at what point in time an individual’s personal information will be disposed of (retention schedule)
- how to facilitate an individual’s request to access, update, or delete their personal information
- how an individual’s personal information is safeguarded (in both physical and digital forms)
- is the personal information being used to automate any decisions about the individual
Does your company’s privacy program adequately address all of this for customers and employees? If yes, awesome! If not, read on…
With substantial changes in privacy legislation (example: Quebec’s Bill 64, enacted on September 22, 2021), meaning much more stringent guidelines in favor of a “privacy by default” approach, do you know the requirements for collecting and obtaining consent for the use of personal information? Do you know how and what personal information is being collected and safeguarded? How long are you supposed to retain personal information for, and then how do you dispose of it appropriately? Are you in compliance with Canada’s Anti-Spam Legislation (CASL) when sending Commercial Electronic Messages (CEMs) to mobile phone numbers, email addresses, or instant messaging accounts?
What does this all mean for your business?
It means that if you own or lead a private-sector or non-profit organization, BEWARE of the personal information that you are collecting, using, or disclosing, and understand that you have an obligation to comply with privacy and protection of personal information laws. Ignorance, or failure to comply with privacy legislation, coupled with a privacy complaint or a data breach can result in you or your organization receiving hefty fines, experiencing a loss of reputation in the news, unexpected legal efforts, and suddenly being faced with a whole bunch of work to do to develop and implement privacy practices in a hurry.
So you got my attention…what am I supposed to do to reduce my risk?
The answer is simple (but I didn’t say “easy”): read on!
- Begin with a quick self-assessment for you to gauge your preparedness for managing privacy within your business.
- Begin taking action with a few tips to help you develop a robust privacy program.
Let’s begin by offering you a simple privacy self-assessment for your organization.
If you do business in Canada in the private sector and you’re wondering about your company’s preparedness to comply with privacy legislation, take the following self-assessment (you don’t need to share your answers and we do not ask you for any personal or business information).
Create your own user feedback surveyWith what you have learned through your privacy self-assessment survey, how are you feeling about the peaceful sleep we mentioned? Good, we hope. But, if not good, we have a couple of recommendations for you:
- Bring in a third-party consultant (like Process Primer!) who specializes in Canadian Privacy and Privacy Programs to conduct a detailed assessment and help you develop a plan to create a privacy program that is right-sized for your organization.
- Identify a Privacy Officer for your organization, train them, and task them with developing and overseeing your organization’s privacy program.
What if I want to build my own privacy program?
Excellent question and glad you asked! You’re on the right track to protecting personal information and reducing risk and liability for your organization.
If you plan on developing your own privacy program, you should start by downloading our free Basic Privacy Program Template. It will give you the basic outline that you need for your privacy program. You can add, remove, and edit it, update the font and colors, as well as your company logo, and make it your own. Your next step after downloading the template, will be to designate and train a Privacy Officer within your organization to figure out how to build out the necessary content within the template.
Important Note on Privacy Officer: if a privacy officer has not been identified/delegated for an organization, the ownership and accountability for privacy compliance defaults to the CEO or the Owner.
Should you need more comprehensive support on developing your privacy program and policies, or you need fractional privacy consulting services, we’re certified and experienced to help you with that. Use the “Contact Us” link to reach out anytime!
Comprehend. Reimagine. Outperform.