Preparing for Compliance to the Modernization of Privacy Laws in Canada

With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to do to ensure they meet the requirements. However, there are privacy best practices that can be put in place to help organizations be better prepared to meet the obligations. 

In this article we will look at some of those best practices. 

Best Practices 

Let’s look at some data protection best practices that will help an organization adapt to the requirements of privacy laws. 

1. Identify personal information that is created, received, and shared 

Identifying person information is a common obligation of privacy laws. This involves tracking the flow of personal information across and through different applications. It also includes where the personal information is stored and with whom the information is shared with. In simple terms, organizations need an inventory of the information they have, why they have it and what it is being used for.  

As we mentioned earlier, personal information includes any information about a person that makes the person identifiable including things like a person’s email or mobile number or even subjective information like evaluations or comments. The Office of the Privacy Commissioner of Canada (OPC) gives some good examples of what constitutes personal information.  

2. Ensure personal information is secure both internally across the organization and externally to protect against breaches or unintentional disclosure 

Locking down databases where personal information resides is only the start of ensuring the security of the personal data. Many organizations don’t think about other areas that the data may reside. Examples include the personal data in emails, customer lists on employee laptops, backups in the cloud. Organizations need to ensure they think about security at all levels of an organization with layers of security that mitigate risks. 

Protecting the data internally is crucial but organizations need to also work with any third party partners they engage with to ensure that they have the privacy policies, processes and security in place that meet the personal information requirements. 

3. Ability to respond to requests from people regarding their data and who the data is being shared with  

Organizations need to have a system in place that can gather the information being requested across the organization. For example, customer service may have some data on that person while accounting may have other data on that same person. Unfortunately, not providing the correct information to the requestors may lead to penalties and fines therefore, organization need to consider these areas when setting up their systems. 

4. Create processes for producing personal information reports 

A common requirement of privacy laws is allowing people to get a copy of the data they requested in a simple format. Therefore, the system developed to gather the personal information should also have the capability of generating a report with all the information for people who request a copy of the data. 

5. Develop a process for deleting personal information 

Another common requirement across many privacy laws is the right of a person to have personal information deleted or anonymized. The challenge for organizations is to ensure that they don’t delete or anonymize information that is required to comply with other laws in their specific industry. For example, organizations in the healthcare industry may have specific requirements when it comes to data. When looking at deleting personal information, organizations should consider what data they require for their success as well as what data needs to be preserved under data retention policies to determine what data can be deleted or anonymized. 

6. Personal information data hygiene 

As data storage costs have decreased, organizations have had the tendency to keep personal information longer than for the purpose it was designated for. Organizations need to take the opposite approach. Collect only the information needed for the designated purpose and store that information for only as long as the designated purpose is achieved. By doing this organizations reduce their exposure by limiting the personal information collected and the duration that information is retained. 

With the various provincial, federal, and global privacy laws tabled or already enacted, organizations may find it difficult to ensure compliance. The above best practices provide a good start. However, to better understand the impact of the privacy laws on your organization, we highly recommend engaging with a legal expert with specific expertise in privacy laws. 

IT Service Providers, like MicroAge, can help with your privacy journey by providing services and solutions related to the security, storage, backup, and recovery of data.  

Contact us today to see how we can help. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

Advantages of IT Staffing Services for Your Business

Competent and trustworthy staff are the key to any successful business, but it can be difficult at times to find the right professionals suited for…

Read More
audit tech

Back to the Office: Auditing Tech and Adjusting your Business

Many businesses were not ready for the global health crisis we were plunged into and needed to adapt quickly. Now that economies worldwide are reopening…

Read More
Create a team in Microsoft Teams

How to Build a Team in Microsoft Teams in 10 steps

Many organizations have started using Microsoft Teams for online meetings and chat. The fact is, in the past year, the usage of Microsoft Teams has…

Read More

Preparing for Compliance to the Modernization of Privacy Laws in Canada

With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to…

Read More
fin de vie windows 7 2008 end of life

Windows 7 and Windows Server 2008 End of Support

The end of 2019 marks another momentous ending—when Microsoft will finish releasing security updates for Windows 7 and Windows Server 2008 R2. Here’s what this…

Read More