We sat down with Greg Ramsay, Corporate Lawyer and Fractional General Counsel at Caravel Law, to discuss the importance of having a Privacy Officer within your organization.
For many businesses, developing a privacy program is often an afterthought. They’ll assign someone as Privacy Officer, give them a privacy@ company email address and be done with it.
But privacy laws in Canada are evolving rapidly, and experts believe that big changes to regulations regarding personal information – and the consequences for breaching them – are on the horizon.
That’s why it’s so critical that companies take privacy issues seriously and that they designate a qualified Privacy Officer within their organization and arm them with a solid privacy program and procedures.
What is a Privacy Officer?
A Privacy Officer is also the contact person that individuals can reach out to if they want to talk to an organization about their personal data.
Why do I need a Privacy Officer?
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), every private-sector organization that collects, uses, or discloses personal information needs to have a Privacy Officer.
Individuals (either customers, employees or other contacts) have the right to request the following from any organization that collects their data:
- Access to the information that the organization holds about them
- Corrections to the information the organization holds about them
If someone has a privacy complaint against your business, the Privacy Officer is the person they speak with and the one who’s responsible for responding to their complaint promptly after receiving the request.
European privacy law, known as the General Data Protection Regulation (GDPR), is seen as the gold standard of privacy protection and enforces high financial penalties against those who break the law.
There have been rumours that Canada plans to follow suit. News reports claim that the Liberal government is planning a massive overhaul of Canada’s privacy laws, including tougher fines for companies that break the rules.
What qualifications should a Privacy Officer have?
The person who takes on the Privacy Officer title will have another day-to-day role within the organization. Usually, that person is a lawyer, but it can also be a compliance professional or an internal audit specialist.
For example, what type of user data is the marketing department collecting, and how are they using it? How is the IT department using digital tools to capture and store user data? Every department has a role to play in privacy compliance, and a qualified Privacy Officer can provide expert guidance on how each one can follow these rules to the letter.
How can my business adopt better privacy practices?
The lightning-fast rate of technological development has allowed organizations to mine and capture untold amounts of data about individuals. We’re only now getting a full view of the ethical and moral repercussions of gathering, storing and using this user data.
The first golden rule when it comes to user privacy is that companies should only collect the data they need for the purposes of their relationship with the individual. It’s tempting – especially for big tech companies – to capture, use and re-sell as much user data as they can get their hands on. But with privacy laws tightening up, organizations will need to prove a legitimate need for every bit of data they collect.
The second golden rule is to ensure your organization has consent to store and use an individual’s data. In many cases, that consent will need to be explicit. This also means understanding the difference between implied consent (say, collecting a user’s mailing address to send them an item they purchased through your website) and express consent (for example, when someone double-opts-in to receive marketing communications from your organization).
Here’s a checklist for how to create a positive privacy-focused culture within your organization.
- Conduct a privacy audit of your organization with a legal expert to assess where you need help
- Include privacy clauses in all contracts with new employees, suppliers, partners, etc.
- Ensure any third parties you work with agree to the terms of your organization’s Privacy Policies (e.g. outsourced marketing, IT consultants, etc.)
Need help managing your organization’s Privacy Policies? Caraval Law is an alternative legal firm with over 50 qualified and experienced lawyers to help support your legal needs. Get in touch with our team today to find out more.
The information provided in this article is not intended to be legal advice. Many factors unknown to us may affect the applicability of this content to your particular circumstances.