The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws
The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws
Canadian privacy law requirements have evolved significantly over time, including based on regulatory guidance and case law. It can be hard for businesses to keep on top of their obligations. In particular, there are five (5) common areas in which Canadian businesses often have gaps in their privacy compliance programs:
1. Obtaining valid consent
It is a common experience for consumers to be presented with a checkbox next to a single line stating that they consent to an organization’s entire privacy policy, when they seek to purchase or register for goods or services. But, is this sufficient to obtain valid consent to collect, use and disclose personal information in Canada? Guidance provided by the regulators suggests that it is not. An effective consent strategy for Canada requires consideration of the organization’s unique statutory obligations across jurisdictions, as well as how these requirements have been interpreted by the Office of the Privacy Commissioner of Canada and its provincial counterparts.
2. Conducting privacy impact assessments (PIAs)
Public and health sector organizations have become accustomed to conducting PIAs, but this practice is less common in the non-health private sector. Recent changes to Quebec’s Act respecting the protection of personal information in the private sector have created new PIA requirements for enterprises doing business in Quebec. However, many organizations have not yet developed processes to comply with these new requirements. Moreover, businesses across Canada (not just in Quebec) should think about when a PIA is necessary (or prudent) to comply with their privacy law obligations.
3. Managing vendors throughout the relationship
In recent years, organizations have started adding privacy terms to a variety of commercial agreements, including (often) fulsome data processing addendums. However, these are sometimes based on the laws of other jurisdictions (e.g., the GDPR). Whether you are engaging a vendor to process personal information on behalf of your business, or you are a vendor offering your services to Canadian businesses, it is important for your contract to reflect applicable Canadian privacy laws. Furthermore, for companies that are engaging a service provider, proper vendor management requires more than contract terms; it requires robust vendor selection processes and oversight activities throughout the relationship.
4. Responding to data subject requests the right way
The most common types of complaints submitted to privacy regulators in Canada are related to the handling of data subject requests. These include requests to access and/or correct personal information, as well as withdrawals of consent. Organizations can avoid the time and expense involved in responding to a regulatory investigation by implementing procedures to escalate and respond to data subject requests and complaints in a timely and legally-compliant manner.
5. Training employees
Employees are often the “weak link” in an organization’s privacy and data security program. While human errors cannot be entirely avoided, they can be reduced by providing personnel with appropriate training. A one-time, generic, training session may result in limited benefits to improve employee awareness, but on-going, role-specific training and awareness activities can materially reduce the probability of privacy and data security breaches within an organization.
McMillan’s Privacy and Data Protection team has developed a five-part series to help Canadian businesses understand their obligations in Canada with respect to each of the above topics. Stay tuned over the next five (5) weeks for practical guidance and recommended action items to help your organization comply with these critical privacy law requirements!
by Lyndsay Wasser, Kristen Pennington, and Robbie Grant
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Federal Court Orders CRA to “Reconsider” an Assessment: Milgram Foundation v Canada (Attorney-General), 2024 FC 1405
Comment on Federal Court decision in Milgram Foundation—a remarkable victory by a taxpayer against the Canada Revenue Agency.
Watch your Warnings – The Québec Court of Appeal Sets the Bar High
Québec Court of Appeal decision which clarifies the manufacturer, supplier and distributor's obligation to provide proper warnings and information to consumers.
Canada Expands Interim Measures and Disclosure Powers for Foreign Investment National Security Reviews
As of September 3, 2024, the Government has new powers it can use when conducting national security reviews under the Investment Canada Act
OSFI’s First Industry Day: Key Highlights and Takeaways
On September 5, 2024, the Office of the Superintendent of Financial Institutions hosted its inaugural virtual Industry Day.
The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #4: Responding to Data Subject Requests the Right Way
Under Canadian privacy laws, individuals have certain rights with respect to their personal information.
Get updates delivered right to your inbox. You can unsubscribe at any time.