Canadian privacy law requirements have evolved significantly over time, including based on regulatory guidance and case law. It can be hard for businesses to keep on top of their obligations. In particular, there are five (5) common areas in which Canadian businesses often have gaps in their privacy compliance programs:
1. Obtaining valid consent
It is a common experience for consumers to be presented with a checkbox next to a single line stating that they consent to an organization's entire privacy policy, when they seek to purchase or register for goods or services. But, is this sufficient to obtain valid consent to collect, use and disclose personal information in Canada? Guidance provided by the regulators suggests that it is not. An effective consent strategy for Canada requires consideration of the organization's unique statutory obligations across jurisdictions, as well as how these requirements have been interpreted by the Office of the Privacy Commissioner of Canada and its provincial counterparts.
2. Conducting privacy impact assessments (PIAs)
Public and health sector organizations have become accustomed to conducting PIAs, but this practice is less common in the non-health private sector. Recent changes to Quebec's Act respecting the protection of personal information in the private sector have created new PIA requirements for enterprises doing business in Quebec. However, many organizations have not yet developed processes to comply with these new requirements. Moreover, businesses across Canada (not just in Quebec) should think about when a PIA is necessary (or prudent) to comply with their privacy law obligations.
3. Managing vendors throughout the relationship
In recent years, organizations have started adding privacy terms to a variety of commercial agreements, including (often) fulsome data processing addendums. However, these are sometimes based on the laws of other jurisdictions (e.g., the GDPR). Whether you are engaging a vendor to process personal information on behalf of your business, or you are a vendor offering your services to Canadian businesses, it is important for your contract to reflect applicable Canadian privacy laws. Furthermore, for companies that are engaging a service provider, proper vendor management requires more than contract terms; it requires robust vendor selection processes and oversight activities throughout the relationship.
4. Responding to data subject requests the right way
The most common types of complaints submitted to privacy regulators in Canada are related to the handling of data subject requests. These include requests to access and/or correct personal information, as well as withdrawals of consent. Organizations can avoid the time and expense involved in responding to a regulatory investigation by implementing procedures to escalate and respond to data subject requests and complaints in a timely and legally-compliant manner.
5. Training employees
Employees are often the "weak link" in an organization's privacy and data security program. While human errors cannot be entirely avoided, they can be reduced by providing personnel with appropriate training. A one-time, generic, training session may result in limited benefits to improve employee awareness, but on-going, role-specific training and awareness activities can materially reduce the probability of privacy and data security breaches within an organization.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024