Preparing for Compliance to the Modernization of Privacy Laws in Canada

With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to do to ensure they meet the requirements. However, there are privacy best practices that can be put in place to help organizations be better prepared to meet the obligations. 

In this article we will look at some of those best practices. 

Best Practices 

Let’s look at some data protection best practices that will help an organization adapt to the requirements of privacy laws. 

1. Identify personal information that is created, received, and shared 

Identifying person information is a common obligation of privacy laws. This involves tracking the flow of personal information across and through different applications. It also includes where the personal information is stored and with whom the information is shared with. In simple terms, organizations need an inventory of the information they have, why they have it and what it is being used for.  

As we mentioned earlier, personal information includes any information about a person that makes the person identifiable including things like a person’s email or mobile number or even subjective information like evaluations or comments. The Office of the Privacy Commissioner of Canada (OPC) gives some good examples of what constitutes personal information.  

2. Ensure personal information is secure both internally across the organization and externally to protect against breaches or unintentional disclosure 

Locking down databases where personal information resides is only the start of ensuring the security of the personal data. Many organizations don’t think about other areas that the data may reside. Examples include the personal data in emails, customer lists on employee laptops, backups in the cloud. Organizations need to ensure they think about security at all levels of an organization with layers of security that mitigate risks. 

Protecting the data internally is crucial but organizations need to also work with any third party partners they engage with to ensure that they have the privacy policies, processes and security in place that meet the personal information requirements. 

3. Ability to respond to requests from people regarding their data and who the data is being shared with  

Organizations need to have a system in place that can gather the information being requested across the organization. For example, customer service may have some data on that person while accounting may have other data on that same person. Unfortunately, not providing the correct information to the requestors may lead to penalties and fines therefore, organization need to consider these areas when setting up their systems. 

4. Create processes for producing personal information reports 

A common requirement of privacy laws is allowing people to get a copy of the data they requested in a simple format. Therefore, the system developed to gather the personal information should also have the capability of generating a report with all the information for people who request a copy of the data. 

5. Develop a process for deleting personal information 

Another common requirement across many privacy laws is the right of a person to have personal information deleted or anonymized. The challenge for organizations is to ensure that they don’t delete or anonymize information that is required to comply with other laws in their specific industry. For example, organizations in the healthcare industry may have specific requirements when it comes to data. When looking at deleting personal information, organizations should consider what data they require for their success as well as what data needs to be preserved under data retention policies to determine what data can be deleted or anonymized. 

6. Personal information data hygiene 

As data storage costs have decreased, organizations have had the tendency to keep personal information longer than for the purpose it was designated for. Organizations need to take the opposite approach. Collect only the information needed for the designated purpose and store that information for only as long as the designated purpose is achieved. By doing this organizations reduce their exposure by limiting the personal information collected and the duration that information is retained. 

With the various provincial, federal, and global privacy laws tabled or already enacted, organizations may find it difficult to ensure compliance. The above best practices provide a good start. However, to better understand the impact of the privacy laws on your organization, we highly recommend engaging with a legal expert with specific expertise in privacy laws. 

IT Service Providers, like MicroAge, can help with your privacy journey by providing services and solutions related to the security, storage, backup, and recovery of data.  

Contact us today to see how we can help. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

10 Keyboard Shortcuts That Work in Chrome, Edge, and Firefox Browsers

You can use many of the same keyboard shortcuts when working in Google Chrome, Microsoft Edge, and Mozilla Firefox web browsers. Here are 10 keyboard shortcuts that are handy as well as easy to remember.

Read More

Disinfect Your Devices

How to disinfect your devices and maintain a healthy work environment. MicroAge is dedicated to providing our clients with market-leading business solutions that help them…

Read More
remote-work-it-security

Rethinking Your IT With A Decentralized Workforce – Chapter 1 : Security

With an increasingly remote or hybrid workforce, we must rethink the way you look at your IT. Let’s first examine network security and how to…

Read More
8 actions to avoid ransomware

8 Actions Your Business Can Take Now to Avoid Paying a Ransom Later

The number of ransomware attacks have exploded in 2021. The month of July started out with a big bang when cybercriminals encrypted the data in…

Read More

3 Ways to Never Worry About Software Failure or Document Loss Again

As we move further and further into the 21st century, businesses are slowly making the transition from physical to digital documentation. This can have many…

Read More