Changing laws and privacy culture around the world, a growing sophistication of cybersecurity threats, innovations in response to the COVID-19 pandemic and environmental, social and governance priorities, increased data outsourcing and a peak in M&A deal activity means that privacy issues are more prevalent than ever.
Organizations know that the consequences of failing to safeguard personal information in the face of an incident can be enormous. What steps should they prioritize to mitigate risks and mature their privacy management programs?
This article identifies our five top tips and a checklist to get you started.
1. Respond, don't react: Accountability and governance
We are seeing a significant trend towards development and reform of privacy laws across Canada and globally. In Canada, modernization of privacy laws has generally involved enhanced transparency of organizations' practices, increased consumer control of personal information, addressing new/emerging technology issues (such as pseudonymized and anonymized information, automated decision-making and biometrics) and bolstered enforcement powers of privacy commissioners. See BLG's previous articles Changes to B.C.'s public sector privacy legislation, Special committee recommendations to modernize B.C.'s private sector privacy law and Québec Privacy Law Reform: A Compliance Guide for Organizations for more information.
Organizations should take steps to mature their privacy management programs to comply with - or to prepare to comply with - modernized privacy laws, rather than reacting to changes.
2. More than just IT: Incident response
The volume and sophistication of cybersecurity threats and incidents involving personal information increased during the COVID-19 pandemic and so did insurance premiums. Regardless of size, industry, or even cyber maturity, a cybersecurity incident can be challenging and costly for an organization.
Organizations should takes steps to implement and regularly update an appropriate incident response plan to respond to cybersecurity incidents when - not if - they happen. An effective incident response plan is short, straightforward and actionable. Most importantly, it involves more than just the IT department.
3. Keep up, flag issues: Innovation
Innovative technologies, such as connected and smart products, artificial intelligence, robotics, biometrics and the metaverse, have changed the way we live. We see this in numerous innovative technologies rolled out in response to the COVID-19 pandemic, such as cloud-hosted collaboration and video-conferencing platforms and apps to process vaccination passports. With the introduction of 5G, even more innovative technology will be possible and novel privacy risks will be inevitable.
Whether an organization is innovating or using these innovations, there are privacy mitigation steps it can take to guide the business when developing or procuring innovative technology.
4. Get it right: Outsourcing
Outsourcing arrangements that involve the processing of personal information are increasingly common and important for many organizations. Outsourcing can provide significant benefits, but it can also present potentially significant business and legal compliance risks.
Organizations are accountable and must adequately safeguard, personal information that is transferred to a third party service provider. While organizations often seek to protect personal information transferred to a service provider through contractual means, Canadian privacy commissioners have noted that merely imposing a contractual requirement to comply with Canadian privacy laws is insufficient. See PIPEDA Findings #2020-001.
Rather, the organization should take steps throughout the entire relationship, including during due diligence, contract negotiation and after contract implementation, to get personal information protection right with their service provider.
5. Don't forget: Privacy risks and M&A
Canada has seen a recent peak in M&A deal activity. Privacy and cyber risks that go undiscovered in the M&A transaction process can result in potentially significant costs and liabilities post-closing. Further, the M&A transaction process itself can give rise to privacy and cyber risks. See BLG's previous article Managing cyber risks in M&A transactions.
Organizations should take steps throughout the M&A transaction process to identify potential and existing privacy and cyber risks and to avoid creating new ones.
By following the top tips and checklist outlined in this article, organizations will be well positioned to manage privacy risks in 2022. BLG has a team of lawyers with expertise in cybersecurity, privacy and data protection and we regularly advise clients on these matters. For assistance, please reach out to one of the key contacts below.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.