How a Privacy Officer can help protect your business


We sat down with Greg Ramsay, Corporate Lawyer and Fractional General Counsel at Caravel Law, to discuss the importance of having a Privacy Officer within your organization.

For many businesses, developing a privacy program is often an afterthought. They’ll assign someone as Privacy Officer, give them a privacy@ company email address and be done with it.

But privacy laws in Canada are evolving rapidly, and experts believe that big changes to regulations regarding personal information – and the consequences for breaching them – are on the horizon.

That’s why it’s so critical that companies take privacy issues seriously and that they designate a qualified Privacy Officer within their organization and arm them with a solid privacy program and procedures.

What is a Privacy Officer?

The Privacy Officer is responsible for reviewing the company’s privacy policy and liaising with internal departments to ensure the policy is being followed throughout the organization. They are the person that is accountable for making sure the company complies with Canada’s privacy laws.

A Privacy Officer is also the contact person that individuals can reach out to if they want to talk to an organization about their personal data.

Why do I need a Privacy Officer?

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), every private-sector organization that collects, uses, or discloses personal information needs to have a Privacy Officer.

Individuals (either customers, employees or other contacts) have the right to request the following from any organization that collects their data: 

  • Access to the information that the organization holds about them
  • Corrections to the information the organization holds about them

If someone has a privacy complaint against your business, the Privacy Officer is the person they speak with and the one who’s responsible for responding to their complaint promptly after receiving the request. 

European privacy law, known as the General Data Protection Regulation (GDPR), is seen as the gold standard of privacy protection and enforces high financial penalties against those who break the law.

There have been rumours that Canada plans to follow suit. News reports claim that the Liberal government is planning a massive overhaul of Canada’s privacy laws, including tougher fines for companies that break the rules.

What qualifications should a Privacy Officer have?

The person who takes on the Privacy Officer title will have another day-to-day role within the organization. Usually, that person is a lawyer, but it can also be a compliance professional or an internal audit specialist.

But whoever is assigned the role of Privacy Officer should ideally have a legal background or expertise in privacy policy. 

This is because not only should a Privacy Officer be responsible for reviewing and amending your company’s privacy policy, they also should liaise with other departments to ensure they are following privacy protocols. That’s part of the Privacy Officer’s role as the individual accountable for making sure the company is staying within the bounds of Canada’s privacy laws.

For example, what type of user data is the marketing department collecting, and how are they using it? How is the IT department using digital tools to capture and store user data? Every department has a role to play in privacy compliance, and a qualified Privacy Officer can provide expert guidance on how each one can follow these rules to the letter.

How can my business adopt better privacy practices?

The lightning-fast rate of technological development has allowed organizations to mine and capture untold amounts of data about individuals. We’re only now getting a full view of the ethical and moral repercussions of gathering, storing and using this user data.

The first golden rule when it comes to user privacy is that companies should only collect the data they need for the purposes of their relationship with the individual. It’s tempting – especially for big tech companies – to capture, use and re-sell as much user data as they can get their hands on. But with privacy laws tightening up, organizations will need to prove a legitimate need for every bit of data they collect.

The second golden rule is to ensure your organization has consent to store and use an individual’s data. In many cases, that consent will need to be explicit. This also means understanding the difference between implied consent (say, collecting a user’s mailing address to send them an item they purchased through your website) and express consent (for example, when someone double-opts-in to receive marketing communications from your organization).

A Privacy Policy Best-Practice Checklist

Here’s a checklist for how to create a positive privacy-focused culture within your organization.

  1. Assign a Privacy Officer with a strong legal or privacy policy background
  2. Conduct a privacy audit of your organization with a legal expert to assess where you need help
  3. Create an external Privacy Policy on your website, and ensure it’s reviewed by a legal expert (never copy and paste a boilerplate policy as it likely won’t be fit for purpose and may not fully legally protect your organization)
  4. Creating an internal Privacy Policy handbook and a Privacy Code of Conduct for your organization
  5. Include privacy clauses in all contracts with new employees, suppliers, partners, etc.
  6. Ensure any third parties you work with agree to the terms of your organization’s Privacy Policies (e.g. outsourced marketing, IT consultants, etc.)
  7. Set up an annual (or better yet, quarterly) company-wide Privacy Policy meeting to discuss changes to your policies with your entire team

Need help managing your organization’s Privacy Policies? Caraval Law is an alternative legal firm with over 50 qualified and experienced lawyers to help support your legal needs. Get in touch with our team today to find out more.

The information provided in this article is not intended to be legal advice. Many factors unknown to us may affect the applicability of this content to your particular circumstances.

  • Share:

Work with a law firm that gives your business the attention it deserves.

Contact us