Many medium- and large-sized Canadian firms are already preparing for an overhaul of the country’s federal private-sector privacy law even as political pundits predict an election will soon be called that will kill the proposed act now before Parliament.
The just-released survey of data protection officials at just over 100 firms was conducted in March by PwC Canada. It found:
–85 per cent of respondents were aware of the proposed Consumer Privacy Protection Act (Bill C-11/CPPA). Almost all of them said it is a priority in their company. Of those 41 per cent said it’s a top priority;
— 88 per cent had already done an internal assessment of their data structure to get ready. Of those, 94 per cent already have a general high-level or detailed plan in place to prepare for the adoption of the CPPA.
Jordan Prokopy, PwC’s national privacy practice leader, acknowledged the CPPA may not pass. However, she added in an interview, because the current federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), has to be updated to meet the adequacy requirements of the European Union’s General Data Protection Regulation (GDPR) “we know where the puck is heading.”
Officials surveyed included general counsels, chief privacy officers and CIOs, with the goal to determine awareness and the potential impact of the bill on Canadian businesses, Prokopy said. The research was conducted four months after CPPA was announced.
Eighty per cent of the respondents were from firms with annual revenues of over $100 million. When asked why PwC surveyed this slice of Canadian businesses, Prokopy said this was the segment that might hire the consulting firm to help with their CPPA readiness plans.
”What I found really interesting were the results around [anticipated] revenue impact [of CPPA],” she said. Sixty per cent of respondents believe it will impact their revenue. Of those, half (or 30 per cent overall) believe it will impact their bottom line positively.
The suggestion, she said, is that these officials believe building trust among customers that personal data will be used responsibly can support a business’s goals.
“If [protecting data] is about building trust, it can improve customer experience, which can ultimately make people more comfortable with sharing their information and have trust in company use of data,” she said.
The areas where respondents thought the CPPA would have the biggest operational impact in their organizations are data mobility (87 per cent. The proposed law would give Canadians the right to move their personal data from one company to another), consent (86 per cent. The proposed law has some changes in the obligations of a firm to get informed consent to collect personal data) and data deletion (83 per cent. The proposed law has data deletion obligations).
Among other findings:
–one out of every five respondents (21 per cent) who are aware of the proposed changes expects CPPA-related expenses to be $10 million or more within the next three years;
–37 per cent of all respondents expect to hire more than 10 full-time staff or contractors for their CPPA or privacy programs in that same period.
Interestingly, only 71 per cent of respondents said their firm has an existing privacy compliance program. PIPEDA became law in 2000; it applies to all commercial firms. Three provinces (Alberta, British Columbia and Québec) have their own private sector privacy laws, while PIPEDA applies to the other provinces and territories. Provinces may have their own separate privacy laws for the healthcare sector.
PwC argues that businesses should take a strategic data trust approach that allows them to create, use, share and retire data securely and transparently. This requires an integrated approach in four key areas: data governance, data discovery, data protection and data minimization.
“We’ve seen firsthand with GDPR that organizations that take a strategic data trust approach versus a compliance-first approach to privacy are able to capitalize,” the report says.