As everyone knows by now, privacy-related legislation is now such in Canada that pretty much every organization should take heed and start doing its homework on that front. Complying with privacy law is no longer something only multinationals should do, SMB/SMEs should now do it too.
Though it may seem tempting to jump right into what privacy legislation prohibits and mandates, this is not the first step you should take. A preliminary (but necessary) step is to stop and think about what the organization really does with personal information and how -in detail. Though this exercise may involve expending resources, it should be done, at least if you’re serious about the process.
Indeed, the first order of business when undertaking this process, should be to take inventory of what personal information is collected by the organization, the whole organization, including as to employees, clients, customers (potential and actual), etc. When doing this, it is worthwhile to try and understand how this data comes in, through what processes, tools, partners, etc.
Along with knowing how we go about collecting information, we should strive to inventory the whole of personal information which the organization ends-up having in store, and the system(s) used to collect and store it.
Once we know what information the organization has access to, it will then be important to chart and document what we do with each piece of information, including how we use it, where we send it, who we communicate it to, etc. Though time-consuming, this will later allow us to assess what we need to do to remain compliant with privacy legislation.
All this preliminary work should normally result in providing us with a clear picture of the extent to which personal information is relevant to the organization and what we need to manage moving forward. Equipped with an understanding of what the organization does, we can then start determining whether we are complying with privacy rules as to each instance of collection, of use and of communication and, if not, what remedial steps must be taken.
Though it may prove tempting for many small organizations to start looking at the requirements of privacy legislation right away, without making an adequate inventory, this is definitely not the way to go. If you want to things properly and end-up knowing reasonably well that you do comply with privacy legislation, a modicum of preparatory work is required, including adequately taking stock of what your organization actually does with personal information, throughout.
Though it may feel like spinning your wheels at first, it will pay off in the long run, as it will then allow a proper analysis of your privacy practices and adequate recommendations as to go about thing, moving forward.