(As originally published on LinkedIn, 20 November 2018)
All eyes on PIPEDA, but there’s more on the horizon
By: Roobi Alam, Data Privacy & Protection Leader, Senior Manager - Advisory Services at Ernst & Young
The global privacy landscape is undergoing major change. Already, regulations like the European Union’s General Data Protection Regulation (GDPR) are disrupting how companies conduct business, with some regulators even comparing their scope and impact to Sarbanes-Oxley. Brazil followed in the EU’s footsteps by passing the General Data Privacy Law, while Japan – which had reformed its own privacy laws last year – is in discussions with the EU to form an agreement that would allow for the safe transfer of data between both jurisdictions.
Closer to home, California passed one of the country’s toughest data privacy laws with the implementation of The California Consumer Privacy Act of 2018. Organizations of all sizes will be required to be more transparent about the kinds of data they collect from consumers, and must also provide the option to opt out of having data sold to third parties. US lawmakers have also taken aim at tech giants, which will undoubtedly have an impact on how businesses operate and integrate privacy protocols moving forward.
We are now starting to see some of these changes in Canada, with amendments to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). This includes a mandatory breach notification that came into effect earlier in November, along with additional consent requirements like the explicit opt-in and “just-in-time” notices set to be implemented in January 2019.
It’s become apparent that, much like the rest of the world, Canada will need to make more drastic changes to data privacy regulations now in order to keep pace with evolving global demands.
More changes on the horizon
PIPEDA aside, some other changes being tabled by Canada’s Parliament Committee and privacy professionals include:
- Data minimization – Collecting only the data you need for its original collection purpose.
- Accountability – Including documented policies and procedures, data flow inventories, privacy impact assessments (PIAs) and risk registry to demonstrate that the organization knows where their data is, what privacy risks exist and how risks are being tracked.
- Privacy by Design (PbD) and default – Ensuring that PbD is implemented throughout the business/IT development life cycle (e.g. data flows inventory, PIAs, data classification, anonymization, encryption, etc.).
- Processes – Supporting the data subject’s “Right to be Forgotten” and “Data Portability.”
- Transparency – Determining what data is being collected, how it is being processed and how the organization is benefiting versus what benefits it brings to data subjects.
- Penalties for non-compliance – Regulators are proposing significant fines to ensure organizations realize the importance of meeting and sustaining privacy compliance.
One of the biggest lessons we’ve learned from global directives like GDPR is that organizations have been taking, on average, 12-18 months to complete some of the most basic GDPR requirements. Even so, they are still not 100% compliant. Moreover, the implementation and enforcement of these requirements has proven to be a daunting task because it impacts all departments of an organization, thereby requiring extensive approvals, a culture shift and strong stakeholder support to have lasting impact. And no industry is immune – the IAPP/EY Annual Privacy Governance Report 2018 outlines the significant impacts on organizations in various sectors like financial services and health care.
Apart from internal and external stakeholder support, here are some of the other challenges we’ve seen companies face head-on in the wake of these new regulations:
- Data retention – Retaining data indefinitely.
- Third party risk management – Many companies are outsourcing all or part of their processes and not doing enough due diligence to confirm whether adequate safeguards are in place.
- A basic understanding – What data the organization collects, processes and stores.
- Performing regular PIAs – Help to determine privacy risk in the data life cycle.
- Developing a PbD methodology – Proactively addressing privacy risks at the design phase.
- Effective incident and breach management processes – Track, resolve and report breaches.
- Appropriate consent – This includes documented support for lawful basis for processing (e.g. consent, contract vs. legitimate interest).
- Data rights management processes – Understand whether the organization’s systems can support data subject rights to their information and, more importantly, data erasure.
- Continuous monitoring and improvement – This includes a formal privacy controls framework.
With all of these changes redefining privacy best practices, it can be easy for organizations to be at a loss for where to start. To stay ahead of new regulations, Canadian companies should be taking a proactive approach to data privacy by anticipating and preparing for upcoming changes, and doing their due diligence to implement a strategic data privacy program and controls that meet and exceed global and local compliance requirements.
Find out how EY can help your organization navigate the changing data protection and privacy landscape on our Data Privacy & Protection website.