Breaking News

Firms will need at least 18 months to prepare for the new federal privacy law, Rogers official says, businesses should start now

Firms will need at least 18 months to prepare for the new federal privacy law, Rogers official says, businesses should start now

The Liberal government has promised 18 months for businesses to be ready if parliament passes its recently proposed changes to the federal privacy law covering the private sector.

However, the chief privacy officer for one of the country's largest firms warned organizations not to complain.

Deborah Evans of Rogers Communications said Thursday during a webinar sponsored by the Canadian branch of the International Association of Privacy Professionals, "From an operational and implementation standpoint [18 months] it is necessary to be bare minimum because there is so much to digest." "Every time I study law, I come to do something new."

The House of Commons and Senate still have to debate the proposed Consumer Privacy Protection Act (CPPA, also known as C-11), which could take months to pass. Committee meetings have not yet been scheduled. So the 18 additional months before its provisions come into force can take a lot of time.

And, Evans said, many companies follow similar procedures under the already existing Personal Information Protection and Electronic Documents Act (PIPEDA).

However, she said, CPPAs need to document these procedures, which can take a long time to establish.

"There is a lot that businesses need to do after considering it," Evans said. “The biggest operational challenge for me is allowing one window to suffice. We have complex legacy systems that will have an impact. Many commentators have said, 'This would be terrible for small and medium businesses,' but people sometimes forget that it is really hard to implement things in a large organization because we are so complex. We make our CAPEX [capital expenditure] decisions in many quarters in advance. [In Rogers] We have already planned to spend our CAPEX by 2021, and these changes have not been taken into consideration. This will be a major challenge for any organization. "

For example, she said, S.7 of the CPPA states that firms are accountable for the personal information they hold, and S.9 states that every organization should implement a privacy management program in which the organization's policies , The practice and procedures surrounding the collection, use, and disclosure of personal information.

"The challenge is ensuring that it is sufficiently detailed and appropriate in the event the Privacy Commissioner inspects the program."

S.12 states that a firm may collect, use or disclose personal information "only for the purposes that a reasonable person would deem appropriate under the circumstances," Evans explained. The proposed Act defines factors that are considered appropriate, but it also requires the use and disclosure of documents. And if there is a new use for personal information beyond what the customer originally agreed to, additional consent would have to be obtained.

Evans said she refrained from using the term to suggest that there might be some "administrative complexity" according to the proposed law. "I don't want to use the word don burden," because it would be silly for an organization to say the size of us would be a burden. This is an administrative function. Some things have to be put into it. There are some system upgrades, which I am going to do in my program so that I can easily introduce some of these at the level in which I would like the commissioner to see anything.

"It's about legal obligation, your risk assessment, confidentiality by design - bringing all those things together and making sure you've processed the documents and the right systems to manage that program."

If a firm does not already do this, he said, he has to do a data inventory to know where personal information is being kept. This is because the CPPA empowers consumers to ask to see what a company has on them, to remove information or to withdraw their consent to their personal data to be used. And firms must decide how it will respond to those requests - manually or through an automated software system. Spreadsheet work is unlikely. Compiling data inventories is not a quick job, Evans warned.

It is not that the proposed law requires things that are inappropriate, which Evans has repeated, but there will be what he calls "operational challenges."

Like PIPEDA, CPPA applies to federal law (like airlines and banks) and firms involved in provinces that do not have their own private sector privacy laws.

Panel operator Constantine Carballiotis, an advocate for innovation, an Ottawa law firm that focuses on privacy and data security, said that a lot of Canadian organizations made the last moments of the European Union's General Data Protection Regulation (GDPR) in early 2018. Prepared till "It makes us start thinking about this sooner than later."

Nority government, he acknowledged, and it could collapse at any time. And the COVID-19 epidemic means that other priorities can take the time of parliament.

However, he stated that in the 2019 election campaign all parties agreed that PIPEDA needed to be updated. "I don't think the parties want to go the way of the law protecting consumers," he said. And PIPEDA needs to be changed to get closer to GDPR. The European Union has to decide whether Canadian privacy laws are similar to the GDPR for organizations that transfer personal data between two jurisdictions, and, Karbaliotis said, trade with Europe is important.

For these reasons, he believes the CPPA will be passed in the current session.

He called the CPPA "well-balanced" between the GDPR demands and the toughest privacy legislation in US states and hoped that when a law would go to parliamentary committees for discussion, private sector concerns could be overcome.

No comments