The world has become increasingly aware of online data use and its implications, particularly after the Facebook data breach scandal. Every nation has been tightening their data protection and privacy laws, and building pressure on tech companies to disclose how they collect and use data.
Information is Vital
It goes without saying that every consumer company collects data of some kind or the other. Without consumer data, no company can function. But they hardly reveal to customers what kind of data they collect, store, share, or sell.
Many companies trick people into sharing their personal information, and then claim that they had “explicit consent”. After the Cambridge Analytica scandal, several nations have brought in new data protection rules for the safety of people.
Canada is usually a peaceful country and not much in the news, but this time, the nation has made headlines its new privacy rules. This is in stark contrast to what its powerful neighbor USA did by repealing the net neutrality laws.
While the US has given government agencies and Internet service providers to freely track user activity and also collect and sell personal data, Canada has made a new rule called the Personal Information Protection and Electronic Documents Act (PIPEDA) where every organization has to report every privacy breach incident to both the general public as well as to the Canada Privacy Commissioner.
Stepping Up Security
After the General Data Protection Regulation framed by the European Union, this is another data privacy and protection rule that aims to step up the security of consumer data.
Nations have been increasingly realizing that the general public has no idea about the kind of information about them that is collected by website and organizations on the pretext of improving their services.
After several privacy breaches have come into light in recent times, authorities found it wise to bring tighter data protection regulations in place.
Handling Data Breaches Responsibly
Under this regulation, organizations are supposed to notify the public and the government about any privacy breach that takes place within the company and which poses significant harm to individuals.
The Yahoo data breach comes to mind, which affected millions of users’ data but was disclosed after almost two years.
With the PIPEDA taking effect from November 1st, 2018, organizations are supposed to record every privacy breach that takes place, whether significant or not. The rule applies to the whole country, except British Columbia, Alberta, and Quebec, which have their own privacy laws.
Most Canadian companies have a lot of work to do because only four out of 10 businesses have the necessary policies required to deal with any breach of consumer data.
How to Prepare for New Canadian Privacy Regulations?
The five steps Canadian companies have to take in order to get started are:
- Identifying information: The very first step companies need to take is to find out what kinds of data they have on record, how it is used, and who it is shared with. Most companies with no regulatory pressure aren’t aware of what they have in store. This data isn’t just about customer information. Even internal company documents with sensitive data come under this new rule.
- Automating breach tracking: It is difficult to manually keep track of data breaches, so companies should automate information management to be able to track data breaches. Several companies still track data on a spreadsheet, which is inefficient, to say the least. When data management is automated, companies get notified whenever something is wrong.
- Drafting a plan: All businesses need to draft a step-by-step plan regarding what to do if a breach takes place. This also involves communicating with the media and the government about the breach, providing all accurate details. The Alberta Privacy commissioner has laid down a helpful guide regarding how to respond to data breaches.
- Regularly testing the plan: Even with a plan in place, organizations may fail to handle a breach when it happens. That is why the plan must regularly be tested to make sure the organization is capable of effectively handling breaches when they happen.
- Training employees: The staff must know what is sensitive data, what a breach involves, and how to handle it. Without training the employees, putting a plan in place is difficult, because the staff directly handle the data.
Just formulating a new regulation isn’t enough and could be totally unnecessary and even a business killer; the government must also educate organizations about what is needed for compliance or not.
There have been general guidelines already released on what companies need to do, and in the coming weeks, more detailed guidelines will be provided to help small and medium business, with limited time and resources to make sure they are in compliance with the new regulation. The changes in the privacy laws were made to be in tune with the GDPR.