Three Seldom-Discussed Privacy Management Practices for 2021

Preparation is Essential: In the New Year, Businesses Will Have Added Privacy Responsibilities.

The Office of the Privacy Commissioner of Canada (OPC) conducts a survey with Canadian companies every two years to keep track of progress and trends regarding privacy compliance. The interviewees are senior leaders with responsibility and knowledge of their company’s privacy and security practices. The latest Survey from 2019 looked at a number of organizations of which 96% were Small-Medium sized Businesses. It revealed a great number of insights intended to assist businesses of all sizes with their approach to privacy policies and practices, compliance with the applicable laws and overall businesses’ awareness and plans towards privacy protection.

While two-thirds of the companies surveyed said they had an internal privacy policy in place, only one-third of the same companies notified their clients of updates to their policies. In addition, only a third of respondents said that they actually have a public website privacy notice.

We at Managed Privacy Canada wanted to know how many Canadian Small-Medium size Businesses (SMBs) really understand what their privacy responsibilities really are. Here are our 3 top tips to help SMBs understand and correctly implement the fundamental privacy practices few seem concerned about:

MPC Tip 1: There is a difference between an internal Privacy Policy and a Website Privacy Notice.

It is not sufficient to have an internal privacy policy but all businesses which handle personal information should have one. An internal privacy policy outlines the rules employees need to follow to protect internal and customer personal information.

In addition, businesses need a website privacy notice explaining the following in plain language:

+ How they collect, use and disclose customer information
+ The purposes for which customer personal information is collected
+ Which personal information will be shared and with whom
+ How they protect this information
+ How long they plan to legitimately retain their customer related personal information

MPC Tip 2: Businesses should appoint a senior individual with accountability for personal information.

At MPC we understand that especially small businesses do not have the bandwidth for dedicated roles within the business for privacy management. Nevertheless, responsibilities for compliance with applicable laws and the internal privacy policy need to be shared and embedded throughout the business practices.

Having a Privacy Policy, a Privacy Officer and a Privacy Impact Assessment are good things, but they are not “Plenty of Privacy”. In fact, they can be entirely insufficient, inadequate and often lead to a False Sense of Privacy (FSP).

Do SMBs really know what it means to have implemented an internal Privacy Policy and if tested, could they “pass” on the promises they make in their public website privacy notice?

OPC 2019-2020 Survey of Canadian Businesses on Privacy related issues

MPC Tip 3: An email forwarder does not establish proper accountability for privacy functions.

Neither does sneaking up on an unsuspecting office administrator and emphatically announcing that she will now be trusted with the role of Chief Privacy Officer. In fact, delegating responsibility can sometimes increase accountability for management and directors.

Managed Privacy Canada (MPC) concurs with the OPC that business’ awareness of the applicable laws has increased. While larger companies (i.e., companies with at least 100 employees) are more likely to have put in place a series of privacy practices and policies or procedures to assess privacy risks, MPC found that increasingly SMBs are in the process of, or have appointed a senior business leader to provide guidance to the business on privacy matters. But is this Officer the right person to advise on privacy compliance?

Based on the OPC finding, the gap with respect to elevating the importance of privacy compliance to a strategic level can only be explained by the fact that most of the organizations surveyed, which were SMBs, do not have the right knowledge to inform their privacy compliance activities and programs because they did not appoint a privacy-savvy senior individual to manage the privacy program.

OPC 2019-2020 Survey of Canadian Businesses on Privacy related issues

Businesses do not need to experience a “near-miss” or a breach to pay attention to their privacy and data protection practices. When businesses do not align their privacy goals with their business objectives, they risk missing important privacy related responsibilities that attract positive results such as business gains through new customers, influencers, new partnerships and more clients.

With MPC’s focus on helping small businesses improve their privacy protection practices, SMBs can now find on-demand knowledge from the best authoritative sources and practical guidance on how to implement their responsibilities in direct alignment with the generation of business value.

To help you get started with Privacy Management, the Practical Privacy Playbook is now available from the MPC at a discount for a limited time. This unique resource is available as a starting guide to build the foundation of any privacy compliance program.

Get started with the Practical Privacy Playbook

For additional insights and certified expertise:
Email: [email protected]
Twitter: @managedprivacy

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter

Scroll to Top