Why You Should Start with an Inventory of Your Business’ Personal Information

As everyone knows by now, privacy-related legislation is now such in Canada that pretty much every organization should take heed and start doing its homework on that front. Complying with privacy law is no longer something only multinationals should do, SMB/SMEs should now do it too.

Though it may seem tempting to jump right into what privacy legislation prohibits and mandates, this is not the first step you should take. A preliminary (but necessary) step is to stop and think about what the organization really does with personal information and how -in detail. Though this exercise may involve expending resources, it should be done, at least if you’re serious about the process.

Indeed, the first order of business when undertaking this process, should be to take inventory of what personal information is collected by the organization, the whole organization, including as to employees, clients, customers (potential and actual), etc. When doing this, it is worthwhile to try and understand how this data comes in, through what processes, tools, partners, etc.

Along with knowing how we go about collecting information, we should strive to inventory the whole of personal information which the organization ends-up having in store, and the system(s) used to collect and store it.

Once we know what information the organization has access to, it will then be important to chart and document what we do with each piece of information, including how we use it, where we send it, who we communicate it to, etc. Though time-consuming, this will later allow us to assess what we need to do to remain compliant with privacy legislation.

All this preliminary work should normally result in providing us with a clear picture of the extent to which personal information is relevant to the organization and what we need to manage moving forward. Equipped with an understanding of what the organization does, we can then start determining whether we are complying with privacy rules as to each instance of collection, of use and of communication and, if not, what remedial steps must be taken.

Though it may prove tempting for many small organizations to start looking at the requirements of privacy legislation right away, without making an adequate inventory, this is definitely not the way to go. If you want to things properly and end-up knowing reasonably well that you do comply with privacy legislation, a modicum of preparatory work is required, including adequately taking stock of what your organization actually does with personal information, throughout.

Though it may feel like spinning your wheels at first, it will pay off in the long run, as it will then allow a proper analysis of your privacy practices and adequate recommendations as to go about thing, moving forward.

Canada One Step Closer to Adopting C-27 and IA-specific Legislation

The Canadian government reiterated last week that we’re collectively moving forward with the revamp of the country’s federal privacy legislation, including an offshoot meant to curb (better control, some would say) rampant and unrestricted adoption of artificial intelligence (“AI”) throughout. At the same time, the bill at issue (named C-27) moved to the second reading stage, bringing us one step closer to a formal adoption of this piece of legislation.

Bill C-27 will reinforce personal information protection throughout Canada but updating a law that is now more than 20 years old and, many would say, quite outdated. The new version of the personal information protection statute at issue will include provisions meant to generally empower individuals in a way that allows them to exercise control over their data, something the current version of the legislation has largely failed to do. Though it’s not quite GDPR, many see this new version of the Canadian privacy legislation as a much needed shot in the arm for our federal privacy regime.

At the same time, this project will likely also include Canada adopting a whole new statute meant to better control the use of AI (e.,g. by businesses), including new rules to try and minimize scenarios where AI is implemented in a way that is incompatible with personal rights and freedoms as well as Canadian values.

The Canadian government clearly says it intends to move forward with all of these. Now, it’s mostly a question of going through the rest of the legislative process, but there’s little doubt that this thing will become law before long. Stay tuned.

Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.