Preparing for Compliance to the Modernization of Privacy Laws in Canada

With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to do to ensure they meet the requirements. However, there are privacy best practices that can be put in place to help organizations be better prepared to meet the obligations. 

In this article we will look at some of those best practices. 

Best Practices 

Let’s look at some data protection best practices that will help an organization adapt to the requirements of privacy laws. 

1. Identify personal information that is created, received, and shared 

Identifying person information is a common obligation of privacy laws. This involves tracking the flow of personal information across and through different applications. It also includes where the personal information is stored and with whom the information is shared with. In simple terms, organizations need an inventory of the information they have, why they have it and what it is being used for.  

As we mentioned earlier, personal information includes any information about a person that makes the person identifiable including things like a person’s email or mobile number or even subjective information like evaluations or comments. The Office of the Privacy Commissioner of Canada (OPC) gives some good examples of what constitutes personal information.  

2. Ensure personal information is secure both internally across the organization and externally to protect against breaches or unintentional disclosure 

Locking down databases where personal information resides is only the start of ensuring the security of the personal data. Many organizations don’t think about other areas that the data may reside. Examples include the personal data in emails, customer lists on employee laptops, backups in the cloud. Organizations need to ensure they think about security at all levels of an organization with layers of security that mitigate risks. 

Protecting the data internally is crucial but organizations need to also work with any third party partners they engage with to ensure that they have the privacy policies, processes and security in place that meet the personal information requirements. 

3. Ability to respond to requests from people regarding their data and who the data is being shared with  

Organizations need to have a system in place that can gather the information being requested across the organization. For example, customer service may have some data on that person while accounting may have other data on that same person. Unfortunately, not providing the correct information to the requestors may lead to penalties and fines therefore, organization need to consider these areas when setting up their systems. 

4. Create processes for producing personal information reports 

A common requirement of privacy laws is allowing people to get a copy of the data they requested in a simple format. Therefore, the system developed to gather the personal information should also have the capability of generating a report with all the information for people who request a copy of the data. 

5. Develop a process for deleting personal information 

Another common requirement across many privacy laws is the right of a person to have personal information deleted or anonymized. The challenge for organizations is to ensure that they don’t delete or anonymize information that is required to comply with other laws in their specific industry. For example, organizations in the healthcare industry may have specific requirements when it comes to data. When looking at deleting personal information, organizations should consider what data they require for their success as well as what data needs to be preserved under data retention policies to determine what data can be deleted or anonymized. 

6. Personal information data hygiene 

As data storage costs have decreased, organizations have had the tendency to keep personal information longer than for the purpose it was designated for. Organizations need to take the opposite approach. Collect only the information needed for the designated purpose and store that information for only as long as the designated purpose is achieved. By doing this organizations reduce their exposure by limiting the personal information collected and the duration that information is retained. 

With the various provincial, federal, and global privacy laws tabled or already enacted, organizations may find it difficult to ensure compliance. The above best practices provide a good start. However, to better understand the impact of the privacy laws on your organization, we highly recommend engaging with a legal expert with specific expertise in privacy laws. 

IT Service Providers, like MicroAge, can help with your privacy journey by providing services and solutions related to the security, storage, backup, and recovery of data.  

Contact us today to see how we can help. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

How to Train Your Staff to be Savvy About Cyber Security Threats

As a business owner, you do everything you can to keep your business safe. You think before checking strange emails, you avoid risky sites, and…

Read More
Industry of hacking

The Industry Of Hacking: Understanding The Business Behind Cybercrime

Cybercrime is big business with some hackers making massive annual profits. With the world being so dependent on technology, cybercriminals have loads of opportunities. There…

Read More
the importance of data backups

Why Data Backups Are Vital To Protect Your Business Data

When you lose data on your home computer, you may lose receipts, banking statements, and treasured memories. However, when you lose data on your office…

Read More

Preparing to Create Your Incident Response Plan

Often, when we consider creating incident response plans, we have cyber incidents in mind. This is not surprising, given the ever-increasing frequency of cyber attacks…

Read More
IT staffing services

How to Avoid Staffing Outages with IT Staffing Services

Your staff and the abilities they possess are what can make or break your business. Having a fully staffed team can make any challenge easy…

Read More