Protecting private information matters regardless of where you do business. However, each jurisdiction has different rules. If you want to do business in Canada, you need to follow the Personal Information Protection and Electronic Documents Act (PIPEDA). Before you find out how to self-assess your organization’s performance, let’s make clear why this matters. This law describes how companies and other organizations need to protect personal information and safeguard privacy.
Why Does PIPEDA Compliance Matter?
There are two reasons why you should invest resources in PIPEDA compliance, assuming your company does business in Canada (or you want that option).
1. Avoid penalties associated with PIPEDA non-compliance
What happens if you violate PIPEDA? It all depends on the specific situation. However, there are at least five outcomes:
- Federal court. Even if you win the court case, your company will have to spend resources on a legal defense.
- Public interest disclosure. Your company’s PIPEDA violation can be publicly disclosed. That means you will face some difficult questions from customers, the media and others.
- Audit. Conducted by the Office of the Privacy Commissioner of Canada, an audit is an in-depth investigation of an organization’s privacy practices. While the audit is underway, you will need to dedicate staff and other resources to respond to the audit.
- Compliance agreements. You will enter into a formal agreement with the Office of the Privacy Commissioner of Canada to address problems. If your company fails to follow the agreement, you can face court proceedings.
- Reporting offenses. In some cases, you may face charges for PIPEDA violations.
These outcomes will impact your ability to execute your strategy and reach your goals.
2. Preserve your company’s reputation
You have probably invested substantial resources in building your reputation through customer service, marketing and other activities. Failing to protect private data as required by PIPEDA can weaken or destroy your brand reputation significantly. Instead of talking to customers about how you can serve them, you will be forced into damage control activities.
Yikes! Failing to meet PIPEDA expectations is not a wise move. To avoid painful and expensive investigations and audits, seize the opportunity to self-assess your situation now.
Your Path To A Comprehensive PIPEDA Compliance Self-Assessment
Rather than waiting for a customer complaint, court proceeding or investigation to reveal problems, use a self-assessment process. Whether or not you have dedicated privacy or compliance employees, this process is a simple way to detect problems.
1) Learn About PIPEDA Requirements
You may be new to PIPEDA or assume it is similar to requirements in other jurisdictions. That’s not a wise move. Take a few minutes to review these resources to understand what the law requires.
- PIPEDA in brief. A short introduction to the law including details on who it applies to and who it does not apply to.
- Introduction to PIPEDA for your business. Last updated in July 2019, this official website gives business-oriented information to help you understand PIPEDA.
Tip: For legal advice related to your situation, speak to a qualified legal professional. Even if you go down that route, this self-assessment process will help you to have a more informed discussion about your company’s PIPEDA situation.
2) Identify PIPEDA Relevant Information
Fortunately, there are limitations to PIPEDA – only certain kinds of information need to be protected. In general, you should start by creating an inventory of systems, filing cabinets and other locations that store personal information about a person. As a starting point, look for the following assets:
- Customer databases. Start with your customer relationship management (CRM) and systems containing orders and service requests.
- Employee database. Employee files, including payroll systems, should be reviewed.
- Marketing automation systems. Your marketing systems may consider PIPEDA related data.
- Paper Files. You may be a mostly paperless company. However, printouts, statements and other records with personal information need to be reviewed.
- Third Parties and Outsourcing. Does your organization outsource critical functions to other companies? If those functions include sales, marketing, payroll and other activities that require personal data, evaluate them for PIPEDA compliance.
Now that you have an inventory of PIPEDA relevant information make a note to maintain it on a set schedule. As a guideline, start by updating the inventory annually.
3) Evaluate Your PIPEDA Safeguards
Knowing all of your protected information is not enough. You also need to have systems in place to protect data. A key component for PIPEDA are safeguards that prevent disclosure of protected information.
System protection takes a variety of forms, including physical security measures and technology. Under the heading of physical security, you might create an inventory of keycards and keys issued to employees and contractors. Additional safeguards might be required to protect rooms containing servers, backups and other information storage devices. For technology, you need processes to track user IDs, passwords and controls over these functions.
As you review your safeguards, consider two scenarios to evaluate if these measures are sufficiently robust. First, ask yourself whether employees are likely to make mistakes or leave sensitive information exposed (e.g. on a desk or in an unsecured file sharing service). Second, ask yourself how difficult it would be for a skilled hacker to gain access to a single PIPEDA protected record.
4) Evaluate Your Privacy Process and Training
Great safeguards are only effective if your employees are adequately trained on privacy, IT security and related factors. To self-assess your training and supporting processes for employees, use two questions.
- Ask a newly hired (past 6-12 months) what privacy and security training they received. If they cannot recall anything, you have a gap to address.
- Ask human resources to provide a list of training resources (i.e. documents, courses, etc.) available on security and privacy. If there is nothing written down, you have a gap to address.
5) Identify Privacy Gaps For RemediationYou’ve arrived at the final step of your PIPEDA self-assessment. You have probably found plenty of gaps and inconsistencies in the organization. That is to be expected if you have never conducted a self-assessment before. Your next move is to choose a few priority areas to improve. For example, use an access management software solution to activate and remove access as needed to protect sensitive data.
