There is no rest for those charged with ensuring personal data held by organizations remains safe. So while Data Privacy Day falls this year on Sunday – it’s always observed on January 28th – we can expect privacy officers will spend it like any other day: Thinking about the state of protection of the data in their care.
Judging by the ever-increasing number of data breaches here (and around the world), that worry is justified.
Few Canadian experts are satisfied with the way the private and public sector are protecting the personal data of customers and partners.
“It’s not in bad shape, but it needs improvement,” says Ann Cavoukian, expert-in-residence, at Ryerson University’s Privacy by Design Centre of Excellence.
The admission this week by Bell Canada of a data breach eight months after a major breach was “extremely disappointing.” In addition, she believes Ottawa has to update the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy law, to bring it into compliance with the European Union’s tough General Data Protection Regulation (GDPR) that comes into effect May 25.
The privacy laws of countries whose companies hold data of EU residents have to be seen as equivalent to the GDPR. The EU gave PIPEDA equivalency to its current privacy laws, but it isn’t clear if that holds for the GDPR. So far Ottawa’s position seems to be PIPEDA should meet the EU standard.
Regardless, GDPR will be a “game changer” for Canadian companies who have to comply with it, Cavoukian said. Consumers will have to give express consent to have their personal data used for any other purpose that which it was originally collected for, she notes.
Kris Klein, managing director of International Association of Privacy Professionals (IAPP) Canada and partner in the Ottawa consulting firm nNovation, notes two other matters privacy professionals have to deal with this year. At some point it is expected Ottawa will announce the final version of data breach notification regulations organizations coming under federal jurisdiction will have to follow if there is a violation of data safety controls. There will a grace period of some months before the regulations come into effect.
In addition, federal privacy commissioner Daniel Therrien says he’s ready to launch investigations into questionable private sector privacy practices or “chronic problems” on his own when necessary. It isn’t clear what his parameters are.
“We’re entering a period of flux and uncertainty, mostly caused by GDPR and ePrivacy regulation,” says Klein. “And I think that will necessitate change in Canada. We already know about breach notification legislation, which will be a big change in 2018 once those regulations come into effect,” It will cause organizations to re-evaluate their systems and policies, “The last thing they’d want is to be audited and find they don’t have the program in place that meets the obligation, because they can be fined if they’re not doing it properly.”
Ale Brown, founder of Kirke Management Consulting, a Vancouver-based privacy consulting firm, said that in her experience, a “fair number of Canadian organizations are not fully aware of what GDPR is, how it will impact them and what to do about it, so they are taking comfort in their ‘ignorance.’ Some of them simply do not want to deal with it because they see it as an unnecessary expense, without realizing that in the long-term it is going to be cheaper to deal with it now than paying the consequences later.”
Canadians are worried
Certainly the Canadian public worries about privacy. In his latest annual report to Parliament federal privacy commissioner Daniel Therrien noted in a January, 2017 poll 92 per cent of respondents expressed concern about the protection of their privacy and a clear majority (57 per cent) were very concerned.
“This is certainly troubling,” he said. “Something must change or we run the risk that Canadians will lose trust in the digital economy, thus hindering its growth and they may not enjoy all the benefits afforded by innovation. More fundamentally, it is quite unhealthy in a democracy when most citizens fear one of their basic rights is routinely not respected.”
The C-suite should also consider a just-released global privacy study by Cisco Systems which concluded privacy-mature organizations experience shorter delays in their sales cycle due to customer data privacy issues. They also suffer lower losses associated with data breaches.
“Given these results, every organization should better understand the impact of data privacy on their sales cycle,” the report concludes. “Businesses should assess what percentage of their product or service portfolio may be impacted by customer privacy concerns and quantify the potential size of any delays. Work should be done to minimize the delays, which could include:
1. Ensuring that salespeople have timely access to information that addresses common customer privacy concerns
2. Establishing teams to quickly investigate customer issues as they arise
3. Working with engineering and product development to make any needed changes, ideally ensuring that privacy is built in from the beginning.
Be clear on user consent
Clarity about user consent over the corporate use of their personal data should also be on the minds of executives. During a consultation last year Therrien said his office “heard how utterly powerless individuals feel in the digital marketplace when it comes to controlling how their personal information is collected and used by companies. Consumers are befuddled by incomprehensible privacy policies, yet feel compelled to consent if they are to obtain the goods or services they desire. Some group participants even said that with the information provided, they are “never” really able to give informed consent.
He has issued two draft guidelines one on how organizations should obtain meaningful consent online, the other on inappropriate corporate data practices. For example, his office believes requiring passwords to social media accounts for the purpose of employee screening would generally not be considered appropriate. It is expected final guidelines will be issued this year.
Without doubt a good cyber security strategy is key to data protection and privacy. Public Safety Canada offers good resources here for organizations that are early in the game. The federal privacy commissioner has resources here for ways businesses can protect personal data and comply with PIPEDA. The IAPP has resources here, including how to conduct a privacy assessment.
Which raises the question of the biggest mistakes firms make in failing to adequately protect the personal data they collect.
Collecting too much of it, replied Kris Klein, because it’s easy. “We don’t yet have privacy baked in as a default (to company procedures), it only comes in as an afterthought. And as a result, the technological and knee-jerk reaction is, ‘If you can collect it, do so and we’ll figure out what to do after.’”
Poor planning, answered Ale Brown. “The changes on how we do business have taken place very fast and a lot of companies are failing to catch up. But simple steps can help them mitigate the risks of experiencing a data breach such as having a privacy framework in place that includes policies and processes where all employees understand their role and responsibility when it comes to safeguarding personal information.
“Having a breach management and response plan ensures that companies know what steps to take to identify, manage and remediate a breach. A strong IT security infrastructure with the appropriate mechanisms to ensure safe storage and transfer of personal data. And last but not least, the appropriate priority at the executive level to ensure that the risks of not protecting personal data are taken seriously and avoided to the best of their abilities.”
Ann Cavoukian said leaders “don’t realize that in failing to introduce strong measures to protect data they’re placing themselves at risk because data breaches are abounding, and a lot of this is happening internally – poor management practices, poor protection of data etc are the causes of breaches.” that sets off class-action lawsuits, she noted. “So you place your company at risk by not doing this.”
The other thing, she added, is good data protection is good business. “If you’re doing privacy by design don’t keep it to yourself. Shout it from the rooftops. Tell the customers the lengths you’re going through to protect their privacy, and gain their trust, their loyalty – and their repeat business.”
Data Privacy Day was marked by a number of events across the country this week. Last night in Toronto a gala dinner and auction raised thousands of dollars for the new International Council on Global Privacy and Security by Design , which will fund research into ways privacy can work with security to ensure public safety and security. Cavoukian is its founder and chair.
Every time there’s a terrorist incident people call for government policies that put security over privacy, she said. The council aims to counter that by showing government can have both. “We’ve got to get rid of this either-or mentality … We’re at a stage where the growth of surveillance is so great that people are thinking there’s no possibility of preserving privacy. I want to dispel that notion. You can have privacy and data utility.”
Industry companies supporting last night’s event included Microsoft, Intel, Google, Deloitte, PriceWaterhouseCoopers, TD Bank and the McCarthy Tetrault law firm.
Other founding members include former U.S. Homeland Security head and now security consultant Michael Chertoff, Telus CEO Darren Entwistle, SecureKey Technologies CEO Greg Wolfond, European Union counter-terrorism co-ordinator Gilles de Kerchove, Joseph Simitian, former chair of the California State Senate select committee on privacy and security and biometric encryption expert George Tomko, who is also the council’s director of research.