Preparing for Compliance to the Modernization of Privacy Laws in Canada

With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to do to ensure they meet the requirements. However, there are privacy best practices that can be put in place to help organizations be better prepared to meet the obligations. 

In this article we will look at some of those best practices. 

Best Practices 

Let’s look at some data protection best practices that will help an organization adapt to the requirements of privacy laws. 

1. Identify personal information that is created, received, and shared 

Identifying person information is a common obligation of privacy laws. This involves tracking the flow of personal information across and through different applications. It also includes where the personal information is stored and with whom the information is shared with. In simple terms, organizations need an inventory of the information they have, why they have it and what it is being used for.  

As we mentioned earlier, personal information includes any information about a person that makes the person identifiable including things like a person’s email or mobile number or even subjective information like evaluations or comments. The Office of the Privacy Commissioner of Canada (OPC) gives some good examples of what constitutes personal information.  

2. Ensure personal information is secure both internally across the organization and externally to protect against breaches or unintentional disclosure 

Locking down databases where personal information resides is only the start of ensuring the security of the personal data. Many organizations don’t think about other areas that the data may reside. Examples include the personal data in emails, customer lists on employee laptops, backups in the cloud. Organizations need to ensure they think about security at all levels of an organization with layers of security that mitigate risks. 

Protecting the data internally is crucial but organizations need to also work with any third party partners they engage with to ensure that they have the privacy policies, processes and security in place that meet the personal information requirements. 

3. Ability to respond to requests from people regarding their data and who the data is being shared with  

Organizations need to have a system in place that can gather the information being requested across the organization. For example, customer service may have some data on that person while accounting may have other data on that same person. Unfortunately, not providing the correct information to the requestors may lead to penalties and fines therefore, organization need to consider these areas when setting up their systems. 

4. Create processes for producing personal information reports 

A common requirement of privacy laws is allowing people to get a copy of the data they requested in a simple format. Therefore, the system developed to gather the personal information should also have the capability of generating a report with all the information for people who request a copy of the data. 

5. Develop a process for deleting personal information 

Another common requirement across many privacy laws is the right of a person to have personal information deleted or anonymized. The challenge for organizations is to ensure that they don’t delete or anonymize information that is required to comply with other laws in their specific industry. For example, organizations in the healthcare industry may have specific requirements when it comes to data. When looking at deleting personal information, organizations should consider what data they require for their success as well as what data needs to be preserved under data retention policies to determine what data can be deleted or anonymized. 

6. Personal information data hygiene 

As data storage costs have decreased, organizations have had the tendency to keep personal information longer than for the purpose it was designated for. Organizations need to take the opposite approach. Collect only the information needed for the designated purpose and store that information for only as long as the designated purpose is achieved. By doing this organizations reduce their exposure by limiting the personal information collected and the duration that information is retained. 

With the various provincial, federal, and global privacy laws tabled or already enacted, organizations may find it difficult to ensure compliance. The above best practices provide a good start. However, to better understand the impact of the privacy laws on your organization, we highly recommend engaging with a legal expert with specific expertise in privacy laws. 

IT Service Providers, like MicroAge, can help with your privacy journey by providing services and solutions related to the security, storage, backup, and recovery of data.  

Contact us today to see how we can help.