Have you received a lot of “We’ve updated our privacy policy” messages from websites, apps, and other online or mobile services lately? That’s the world adjusting to the GDPR, or General Data Protection Regulation, the European Union law that took effect last May 25. GDPR is a set of rules governing data privacy and protection for EU citizens, as well as the export of personal data outside the European Union (EU) and the European Economic Area (EEA).

But long before the GDPR, we Canadians passed PIPEDA, or the Personal Information Protection and Electronic Documents Act, which became law in April 2000. That was our government’s way of safeguarding our citizens’ data. Compared with U.S. data privacy laws, Canada’s are much stricter in terms of privacy and security.

PIPEDA governs the collection, use, and disclosure of personal data for commercial business. It consists of ten principles, but the basic spirit of PIPEDA is the protection of the customer’s privacy:

  • The collection, use, and disclosure of personal information requires the consent of the customer.
  • Customers have the right to access and change their information when necessary.

In today’s business environment, tech-savvy companies reach out to their consumers through official websites, social media, and even mobile apps. These avenues require customers to log in and provide personal information to the companies. As more Canadian companies engage with their customers electronically, the more they need to comply with PIPEDA.

Here’s a list of things a company needs to do to ensure that their customers’ data are safe and secure.

Assign an officer in charge of PIPEDA compliance

This person is in charge of monitoring and enforcing the company’s data protection policies. He or she also serves as the liaison officer for customers who have inquiries about such procedures.

Develop and implement policies for safeguarding our citizens’ data

These policies should cover both internal (employees) and external (customers, clients, suppliers, business partners, etc.) individuals, and include the following important provisions:

  • Identify the kind of data needed before it is collected.
  • State clearly the purpose of the information collection. If data will be used for another purpose later on, the customer should be informed of that as well.
  • Get the consent of the customer before collection. Consent can be written or verbal, but proof must be kept.
  • Store information only until its purpose is served. Do not retain data beyond its use; it should be deleted or destroyed.
  • Apply physical and electronic safeguards to ensure the privacy of information.

Provide customers with their personal data

Customers have the right to know what information was collected from them. A company should disclose all the data it has on its customers if they request it.

Educate employees about the company policies on data protection

Brief employees on the importance of privacy and data protection, as they too have the same privacy rights that customers have. When employees appreciate company policies, they’ll be more likely to enforce them.

Institute procedures in case of a breach

Policies should be in place to protect data against accidental or deliberate access by unauthorized persons. The following steps should be included:

  • Immediate containment of the breach
  • Notification of customers whose information may have been compromised
  • Assessment of the breach to secure information and prevent further leakage
  • Full investigation of the breach
  • Comprehensive documentation of the breach

Different businesses will require different PIPEDA compliance procedures, depending on the industry they’re in. Canadian companies can know more about their obligations under PIPEDA with this primer from the government.

Should a Canadian company need to be PIPEDA-compliant (or GDPR-compliant), they will require legal counsel from your firm. We at Vertex Solutions are your legal IT experts who can help you provide the best service for your clients, for example by updating their privacy policy. Contact us today so you can experience award-winning customer service from “one of the best managed services providers in the world.”