The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws
The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws
Canadian privacy law requirements have evolved significantly over time, including based on regulatory guidance and case law. It can be hard for businesses to keep on top of their obligations. In particular, there are five (5) common areas in which Canadian businesses often have gaps in their privacy compliance programs:
It is a common experience for consumers to be presented with a checkbox next to a single line stating that they consent to an organization’s entire privacy policy, when they seek to purchase or register for goods or services. But, is this sufficient to obtain valid consent to collect, use and disclose personal information in Canada? Guidance provided by the regulators suggests that it is not. An effective consent strategy for Canada requires consideration of the organization’s unique statutory obligations across jurisdictions, as well as how these requirements have been interpreted by the Office of the Privacy Commissioner of Canada and its provincial counterparts.
2. Conducting privacy impact assessments (PIAs)
Public and health sector organizations have become accustomed to conducting PIAs, but this practice is less common in the non-health private sector. Recent changes to Quebec’s Act respecting the protection of personal information in the private sector have created new PIA requirements for enterprises doing business in Quebec. However, many organizations have not yet developed processes to comply with these new requirements. Moreover, businesses across Canada (not just in Quebec) should think about when a PIA is necessary (or prudent) to comply with their privacy law obligations.
3. Managing vendors throughout the relationship
In recent years, organizations have started adding privacy terms to a variety of commercial agreements, including (often) fulsome data processing addendums. However, these are sometimes based on the laws of other jurisdictions (e.g., the GDPR). Whether you are engaging a vendor to process personal information on behalf of your business, or you are a vendor offering your services to Canadian businesses, it is important for your contract to reflect applicable Canadian privacy laws. Furthermore, for companies that are engaging a service provider, proper vendor management requires more than contract terms; it requires robust vendor selection processes and oversight activities throughout the relationship.
4. Responding to data subject requests the right way
The most common types of complaints submitted to privacy regulators in Canada are related to the handling of data subject requests. These include requests to access and/or correct personal information, as well as withdrawals of consent. Organizations can avoid the time and expense involved in responding to a regulatory investigation by implementing procedures to escalate and respond to data subject requests and complaints in a timely and legally-compliant manner.
Employees are often the “weak link” in an organization’s privacy and data security program. While human errors cannot be entirely avoided, they can be reduced by providing personnel with appropriate training. A one-time, generic, training session may result in limited benefits to improve employee awareness, but on-going, role-specific training and awareness activities can materially reduce the probability of privacy and data security breaches within an organization.
McMillan’s Privacy and Data Protection team has developed a five-part series to help Canadian businesses understand their obligations in Canada with respect to each of the above topics. Stay tuned over the next five (5) weeks for practical guidance and recommended action items to help your organization comply with these critical privacy law requirements!
by Lyndsay Wasser, Kristen Pennington, and Robbie Grant
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Capital Gains Confusion: Navigating the Options for Reporting Employee Stock Option Benefits
This bulletin discusses proposed tax changes that will increase certain source withholding obligations for stock option benefits.
Bill 68 and Medical Certificates: Important New Provisions for Employers
Certain provisions of Bill 68 affect employers and the circumstances under which they may ask their employees to provide a medical certificate.
Class Actions in Quebec: A Surge in Environmental Law Private Actions Lays Additional Pressure on the Retail Sector
This bulletin discusses the rationale as well as the implications of recent environmental class action judgments in Québec for businesses and consumers.
Clear as Mud: Analyzing Voluntary Property Control Removals So Far
The Competition Bureau's recent announcement about a grocer agreeing to remove a exclusive/restrictive covenant raises more questions than answers.
Patent Term Adjustments in Canada Are Here
On January 1, 2025, provisions related to Canada’s new patent term adjustment framework came into force. This bulletin provides an overview of these changes.
Get updates delivered right to your inbox. You can unsubscribe at any time.