January 28, 2021 marks the 14th annual Data Privacy Day – a day that is important for consumers and businesses alike. For consumers, it’s a time to review and reflect on the confidentiality of their online data; for businesses, it’s a time for leadership to take stock of their privacy practices and obligations.
Data privacy and data security are complementary, but distinct concepts. Data privacy governs how data is collected, shared and used. Data privacy is all about preserving an individual’s right to control their own personal information. Various regulatory frameworks exist to provide guidance and oversight for the appropriate administration of data privacy in the enterprise. Depending on your jurisdiction, and the type of business you run, you must comply with federal and provincial privacy legislation (e.g., in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) currently governs the privacy framework across the country, with some provinces having their own compliance structures in place).
In contrast, data security speaks to protecting that information from being lost, damaged, or stolen. Data security is the practice of restricting access to the right people, at the right time, for the right reasons. Data security also involves auditing and tracking access to that information, to prove that only authorized personnel have accessed data, and they had a good reason for doing so.
Good data security practices are just as important as good data privacy habits: they’re related, but different.
Data Privacy Day is particularly notable this year because 2021 is shaping up to be a landmark time for privacy in Canada. After its first reading in November 2020, Bill C-11 (the Digital Charter Implementation Act, 2020) is entering its final weeks of public consultation, and (barring a federal election in Canada), the Act is expected to become law by the end of the year.
With the new Act, expanded privacy requirements and obligations, tougher regulations and stiffer penalties for non-compliance are on the horizon. The new Act will repeal a large part of the existing PIPEDA legislation, replacing it with the new Consumer Privacy Protection Act (CPPA) for the private sector. It will also introduce a new Personal Information and Data Protection Tribunal to hear appeals of orders by the Privacy Commissioner and apply a new monetary regime under the CPPA.
The Act will have a profound effect on Canadian business, and the way companies manage the privacy and security of their enterprise data. Rules around the collection and consent of use of customer data are changing. Consent language built into contracts may need to be “unbundled”. New requirements for handling customer access, correction, and deletion requests are in the new Act. A new framework for companies to provide customers with a copy of their personal data is evolving. The list goes on.
You can start to prepare for change today. Consider the following:
+ Designate an individual as a “privacy champion” at your company to follow news about the legislation, map it back to your business, and educate your management and personnel.
+ Emphasize data privacy and data security awareness for every employee at your company. Training on data privacy should be integrated into your corporate education program, right from the onboarding process for new staff through to regular refreshing training and resources. Example: do all of your client service personnel know what to do if they were to receive a personal data access request from a customer?
+ Conduct routine data access audits and monitor your network for suspicious activity. In the event of unauthorized access, it’s important to see the signs early so you can reduce the exposure – and the financial and reputational damage that can follow.
+ Don’t underestimate hackers’ interest in your company because it’s smaller or just starting out. Breaches and attacks affect organizations of all sizes, including start-ups and small businesses. If you are entrusted with client data, you need to protect the privacy and confidentiality and security of that data.
+ Implement a zero-trust model. Once you have created a comprehensive inventory and asset management program for all systems, applications, and databases, you can fine tune the access to those assets to protect the privacy and security of your clients’ information.
+ Understand that, while privacy legislation imposes significant obligations on business, most privacy programs are successful when privacy is treated as a strategic advantage and best practice – not merely a burden.
But the most important thing you can do is start. If you’re ready to learn more, ISA Cybersecurity and Varonis can help. ISA brings a decades of experience and a full range of cybersecurity services from advisory and assessment services and architecture design and implementation, right through to incident response and digital forensics and hosted/managed services. And Varonis brings an arsenal of data protection and privacy compliance solutions to the table.
Together, we can help you itemize your data collection and storage points, and manage and audit access to sensitive and regulated data. Together, we form a winning combination that can help your enterprise comply with today’s regulations, and make sure you’re ready for the compliance regime of tomorrow.