Canada: ABCs Of A Privacy Compliance Program: What You Always Wanted To Know And Were Afraid To Ask!
Privacy and Cybersecurity Bulletin

The recent reform of the Act respecting the protection of personal information in the private sector (the "Law 25") ¹ raises no shortage of questions for organizations. In particular, some are wondering where to start and how to make sure they are in compliance with their new obligations while at the same time mitigating the risks associated with processing personal information. Adopting a privacy compliance program ("Privacy Program") is therefore an important step to take in order to effectively meet all of the applicable statutory requirements, including, in particular, those relating to the implementation of preventive protection measures.

This series of bulletins, presented in chapter form, will demystify this concept and suggest concrete measures for initiating compliance.

Chapter 2: Who does what?

In the first chapter in this series, we defined the concept of a Privacy Program and set out the benefits for organizations.

In this second chapter, we will address the important question of the roles and responsibilities of the stakeholders in a Privacy Program and describe the models for the structure of the team in charge of it.

Generally, establishing a Privacy Program starts with identifying the stakeholders. The next step is to determine the vision, the mission, and the structure of the teams responsible for it, and then delineating its scope and putting its compliance framework in place.  This chapter deals with identification of the stakeholders, stakeholders' responsibilities, and the structure of the team responsible for designing and deploying the compliance program. The vision and scope of the Privacy Program will be addressed in the next chapter.

Note that building a Privacy program is a continuous step-by-step process that calls for active participation by the organization's senior management. Each organization will have a different program based on its size, its operational context, and the nature of its activities.

1. Identifying the stakeholders: Who should be involved in implementing the Privacy Program?

The stakeholders can be identified by holding workshops involving the persons responsible for the organization's various functions or departments. This activity must be carried out with the active collaboration of the person in charge of the protection of personal information within the organization ("PCPPI"),²  and will enable the PCPPI to assess the needs and position their own role in relation to the stakeholders. Naturally, and where necessary, the organization's legal department should be involved in defining roles and responsibilities. They may play an active role in implementing the program and will help to determine the requirements imposed by the applicable legislation and regulations.

Stakeholders can also be identified using a role and responsibilities assignment matrix (RACI) defining the various activities to be performed within the Privacy Program and assigning the following roles to the various stakeholders: responsible, accountable, consulted, informed. The roles and responsibilities involved in establishing the Privacy Program must be distinguished from those relating to carrying it out. The type of position or department that may be a stakeholder in the exercise may include: human resources, marketing, business development, finance, information security, risk management, the enterprise's compliance, ethics and audit departments, and its legal department.³ 

a. Documenting and disseminating information on stakeholders' various roles and responsibilities

The stakeholders in the program and their roles and responsibilities must be documented and the necessary written authorizations⁴ must be properly recorded, and, where applicable, disseminated to the persons concerned. Based on the role and responsibilities identified, those persons may be all or certain employees of the organization, its executives, or the public.⁵   These roles and responsibilities must be reflected in the organization's various internal policies or its training and awareness documents, including its internal personal information protection policy.⁶ On this point, we would also note that dissemination of the title or contact information of certain stakeholders outside the organization might be a requirement pursuant to a statutory obligation.⁷

2. Once the program is established, what should the structure of the personal information protection team be?

The structure and the number of people who make up the personal information protection team, once the program has been established, will vary, depending on the activities and size of the organization and the context in which it operates. Note that the structure of the team will also be subject to statutory requirements. For example, under Law 25, unless the enterprise has delegated the role of person in charge of the protection of personal information in writing, that role will fall to the person exercising the highest authority within the organization. A needs assessment should therefore be done prior to creating the team and before designating the person in charge. That assessment can be done several times, as your work progresses or as the organization's activities develop. It should also be noted that while this article talks about the "team" in charge of the protection of personal information within your organization, it may be, depending on the needs assessed, that one person will be sufficient to achieve the organization's compliance objectives in this regard. We reproduce a few current models below.

a. Team governance model

Typically, organizations prefer three approaches in deploying a governance model for the team responsible for the protection of personal information: centralized, decentralized and hybrid.⁸ 

The centralized governance model consists of designating a central person or team that will be responsible for the protection of personal information within your organization.⁹ A small organization or an organization that wants to have a single point of contact for personal information protection, such as a PCPPI within the organization, may opt for a centralized governance model.¹⁰ This might also be the model of choice for an organization that has a lower maturity level in relation to compliance with personal data protection but wants to opt for a hybrid model. In that case, the Office could arrange the gradual deployment of the compliance program in various business lines or departments of the organization and would manage it, provide training for stakeholders, and monitor the associated risks.

The decentralized (local) model delegates management of personal information to various business lines and departments in the organization. The power relationship and policy implementation flow from the bottom up, in this case.¹¹ This type of approach generally means that the controls and policies developed by the organization in this regard are more grounded in the organization's business reality. However, with this type of model, it is harder to get an overall picture of the inherent risk and to have uniformity in the controls put in place. This approach is suited to organizations that have a hierarchical horizontal structure and heterogeneous activities spread across multiple jurisdictions, for example. 

The hybrid approach combines the centralized and decentralized approaches. In concrete terms, it could take the following form: an organization assigns a person in charge of the protection of personal information. That person would be responsible for a team that would apply the program by developing the associated controls (for example, a privacy office or the organization's legal department). Representatives of the Office in the organization's business lines and internal departments would support the implementation and deployment of the compliance program. This model is particularly useful in large organizations with vertical hierarchical structures, particularly those operating across different jurisdictions. This model fosters uniformity in the implementation of the program while ensuring that exceptions to the compliance framework are managed by representatives of the Office when it comes to the unique features of the applicable jurisdictions in which their departments or positions operate. It may also foster adhesion by employees to the culture of protection of personal information.¹²

The roles and responsibilities of the members of the team responsible for deploying and implementing the program will depend on the governance model chosen and the way in which the tasks associated with managing the protection of personal information within the organization are divided. They may also depend on the legislative and regulatory frameworks that apply.¹³ Apart from the role of person in charge of the protection of personal information, the team may include persons in other positions: managers, analysts, lawyers, coordinators, incident management advisors, and so on. The team may also bring in representatives within its various business lines who have in-depth knowledge of operations.¹⁴

In addition, some activities relating to the protection of personal information can be carried out in common with other units in the organization such as information security or the legal services or IT departments.¹⁵ On that point, the structure must avoid duplicating tasks and facilitate the harmonization of activities among the various units. In particular, it may be agreed that putting technical security measures in place to protect the confidentiality (for example, encryption, tokenization, etc.) of personal information, and assessing the sufficiency of those measures, will be the responsibility of information security or the organization's IT department.

We believe that the hierarchical level to which the PCPPI reports should be high enough that the organization's executives have an accurate picture of the organization's compliance with its obligations.¹⁶The organization should make sure that the person in charge has an independent and impartial view of the risks involved in the protection of personal information and, in particular, that the person does not combine that position with others that could place them in a conflict of interest in performing their responsibilities.

b. Education and competencies desired

The members of your organization's team responsible for the protection of personal information may have varied profiles, although certain competencies or experience, such as legal or project management skills and experience in implementing and carrying out controls, audits and information security, are most often mentioned.¹⁷

Conclusion

The objective of this chapter was to familiarize you with the various stakeholders in the privacy compliance program and introduce certain approaches to structuring the team responsible for the program within your organization. As you will have seen, this kind of program can't be established and implemented in a silo, and calls for the contributions of a number of parties. It is therefore essential that their efforts be organized around a common vision and objectives. These points and others will be addressed in the next chapter.

Footnotes

1. This reform was effected by the enactment of Bill 64 on September 22, 2021, making it the Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25, amending the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1.

2. In Quebec, unless a person in charge of the protection of personal information is appointed in writing, that function falls to the person exercising the highest authority within the enterprise. On this point, see section 3.1 of Law 25. That person is naturally responsible for implementing and monitoring the controls put in place under the Privacy Program and for the performance of those controls.

3. Justine GOTTSHALL and Adam C. NELSON, "Developing a Privacy Compliance Program", Practical Law, 2016, Thomson Reuters, pp. 3-4.

4. On this point, see, for example, section 3.1 para. 2 of Law 25 in the event that the role of the person in charge of the protection of personal information is delegated.

5. For example, the title and contact information of the organization's person in charge of the protection of personal information must be published on the enterprise's website (section 3.1 para. 3 of Law 25).

6. On this point, see, in particular, section 3.2 para. 1 of Law 25.

7. For example, section 3 para. 3 of the Law 25; see also section 4.1.2 of Schedule 1 to the Personal Information Protection and Electronic Documents Act, SC 2000 c. 5 ("PIPEDA") or Article 37(7) of the General Data Protection Regulation, 2016/679. ("GDPR").

8. Ron DE JESUS, "Introduction to Privacy Program Management", in Privacy Program Management. Tools for Managing Privacy Within Your Organization. 2nd ed., Portsmouth, International Association of Privacy Professionals, 2019, 254 pp., at page 28.

9. Ibid, p. 29.

10. Ibid.

11. Ibid.

12. Ibid.,  p. 30.

13. For example, in Quebec, the role of "person in charge of the protection of personal information" is defined in section 3.1 of Law 25, while the GDPR refers to different roles, including the controller (Articles 24 et seq.), the representative of a controller not established in the European Union (Article 27) and the data protection officer (Article 37).[13]

14. Supra, note 8, pp. 3031; see also Justine GOTTSHALL and Adam C. NELSON, "Developing a Privacy Compliance Program", Practical Law, 2016, Thomson Reuters, pp. 3-4.

15. In particular, based on the GDPR, supra, section 1 of the article.

16. On this point, note that the function of the person in charge of the protection of personal information falls by default to the person exercising the highest authority within the enterprise (section 3.1 para. 2 of Law 25). In this regard, we would add that the directors, executives or representatives of the organization may be liable when a violation of the ARPPIPS is committed; on this point, see section 93 of that Act and of Law 25.2 of Law 25). It is therefore desirable that they be able to speak with the person in charge of the protection of personal information on an ad hoc basis concerning inherent compliance risks.

17. On this point, see supra, note 8 at page 32.