But long before the GDPR, we Canadians passed PIPEDA, or the Personal Information Protection and Electronic Documents Act, which became law in April 2000. That was our government’s way of safeguarding our citizens’ data. Compared with U.S. data privacy laws, Canada’s are much stricter in terms of privacy and security.
PIPEDA governs the collection, use, and disclosure of personal data for commercial business. It consists of ten principles, but the basic spirit of PIPEDA is the protection of the customer’s privacy:
- The collection, use, and disclosure of personal information requires the consent of the customer.
- Customers have the right to access and change their information when necessary.
In today’s business environment, tech-savvy companies reach out to their consumers through official websites, social media, and even mobile apps. These avenues require customers to log in and provide personal information to the companies. As more Canadian companies engage with their customers electronically, the more they need to comply with PIPEDA.
Here’s a list of things a company needs to do to ensure that their customers’ data are safe and secure.
Assign an officer in charge of PIPEDA compliance
This person is in charge of monitoring and enforcing the company’s data protection policies. He or she also serves as the liaison officer for customers who have inquiries about such procedures.
Develop and implement policies for safeguarding our citizens’ data
These policies should cover both internal (employees) and external (customers, clients, suppliers, business partners, etc.) individuals, and include the following important provisions:
- Identify the kind of data needed before it is collected.
- State clearly the purpose of the information collection. If data will be used for another purpose later on, the customer should be informed of that as well.
- Get the consent of the customer before collection. Consent can be written or verbal, but proof must be kept.
- Store information only until its purpose is served. Do not retain data beyond its use; it should be deleted or destroyed.
- Apply physical and electronic safeguards to ensure the privacy of information.
Provide customers with their personal data
Customers have the right to know what information was collected from them. A company should disclose all the data it has on its customers if they request it.
Educate employees about the company policies on data protection
Brief employees on the importance of privacy and data protection, as they too have the same privacy rights that customers have. When employees appreciate company policies, they’ll be more likely to enforce them.
Institute procedures in case of a breach
Policies should be in place to protect data against accidental or deliberate access by unauthorized persons. The following steps should be included:
- Immediate containment of the breach
- Notification of customers whose information may have been compromised
- Assessment of the breach to secure information and prevent further leakage
- Full investigation of the breach
- Comprehensive documentation of the breach
Different businesses will require different PIPEDA compliance procedures, depending on the industry they’re in. Canadian companies can know more about their obligations under PIPEDA with this primer from the government.