March is FinTech Month
In the 2020 annual survey of businesses published by the Office of the Privacy Commissioner for Canada, 69% of businesses rate the importance of protecting customer privacy as an extremely important corporate objective. Yet only 38% of companies responding to the survey have a privacy risk assessment policy in place.
Taking your customer’s privacy “seriously” requires a lot more effort than simply downloading a set of predetermined policies and generic privacy impact assessments that you think fit your circumstances. Every business is different and a properly constructed privacy management system should fit your corporate objectives like a well-tailored suit fits a CEO.
The ISO 27000 security standard defines risk management as:
“a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.”
There’s a lot of work packed into that statement. But getting it right means building customer trust and loyalty – a significant competitive advantage. Getting it wrong can be expensive. Beyond the reputational damage, companies with poor privacy practices are 80% more likely to suffer a data breach and lose 600% more records in a breach than companies with best in class privacy practices.
(Privacy Risk Policies)
The regulatory landscape is also changing. The General Data Protection Regulation in the EU was just the first wave of putting the brakes on the surveillance economy. New concepts in privacy regulation have been introduced:
- here in Canada – such as assessing the volume and sensitivity/risk of personal information and making that assessment available to the Office of the Privacy Commissioner of Canada, or
- in Quebec, the obligation to assess appropriate purposes of data collection – which will force organizations to reevaluate their data collection activities and shift from a passive approach to privacy to an active privacy management program or face significant fines
- in California with the new and important amendments to the CCPA banning the use of dark patterns attempting to stops users from opting out of the sale of their personal data
- in CPPA, CPRA and (Virginia) VCPDA – with the introduction of data deletion requests, which relies on the business ability to make swift risk-based decisions while balancing business vs. privacy/security interests
Large tech companies have built empires by ignoring privacy and monetizing personal information. Continuing those practices despite regulatory change, advocates and public scrutiny has cost them billions in fines and reputational damage – apparently the revenue outweighs the risks. Does your company have deep enough pockets to be privacy complacent the same way big tech does?
Stay alert by knowing your privacy compliance obligations. Build a compliance program that anticipates and is prepared for future regulatory requirements.
Get a better fit: managedprivacy.ca