We have all seen the increased digitization of our world over the last decade, which has become even more apparent now as the pandemic fueled innovation for businesses across the globe.
At the core of these efforts is a key ingredient for success that is also a topic of controversy – personal data. Until recently, there have been few legal mandates to govern business practices around privacy and personal information. The way companies have collected and used data in Canada has been almost entirely up to them.
In 2018, the European Union set a precedent when it implemented the groundbreaking General Data Protection Regulation (GDPR) privacy framework to empower individual consumers to control their personal information and expand their privacy and legal protections. In 2020, California passed a similar privacy law called the California Privacy Rights Act (CPRA). Now, we’re beginning to see an emphasis placed on the privacy and protection of consumers in Canada as well with the recent tabling of Bill C-11, the Digital Charter Implementation Act, 2020 (DCIA).
If passed, the new legislation will give Canadians more control over their personal information. It will also require greater transparency over how private sector organizations handle their personal information, with the potential for financial penalties for noncompliance. It goes without saying that this can have a substantial impact on how organizations operate within the country.
Whether you’re a C-suite business leader like a CIO or a technologist working in AppOps or DevOps teams, you should be acutely aware of this legislation and what it means for both your organization and your customers. In most cases where new legislation is introduced, a team will be established to audit any customer data you have stored and ensure compliance. In collaboration with the audit team, you can start by assessing how your company collects and handles personal data, then prepare to make timely changes that are compliant and pose minimal disruption to your business.
Evaluating your privacy and data practices
When it comes to assessing the privacy and data practices of your organization, it’s best to take stock of where the company is right now. That way, if the legislation is passed, you can save time, money and frustration by being prepared to make the necessary changes to become compliant.
It’s important to note that to properly address potential privacy regulations, you can’t rely on general assumptions of where you think personal data might exist. Data privacy laws, like those imposed by the GDPR and CPRA, typically require organizations to understand where personal data is located at any given time. This is especially important for CIOs and AppOps teams as they look to continue leveraging application data to make critical business decisions.
They should account for all locations where it might be stored, including on-premise data centres, public and private cloud, and mobile devices. This will help understand where to begin readiness work to not only become compliant but to plan how teams can remain agile in their roles while navigating new regulations.
When evaluating your privacy and data practices, you have to make sure you understand the data your company handles and how it’s used. The large variety of data your company may collect, and store can be overwhelming, but will commonly include basic identity information of customers and employees such as name, address and ID numbers, as well as web data such as location, IP address, cookie data and radio-frequency identification (RFID) tags. Once you have a grasp on the types of data housed within your organization, attempt to review your current processes for personal data collection, storage, usage and removal. This includes where personal data is stored, what type it is, and how much of it there is, and under what circumstances it was collected.
Preparing to make meaningful changes
Canada is not the first nation to push for greater privacy protections for consumers. To gauge the potential impact of new legislation, we can look to neighbours to the South and overseas for an indication of what’s to come. According to a recent data privacy study from Cisco that asked respondents in the European Union about the downstream effects of the GDPR’s implementation, 97 per cent reported favourable outcomes ranging from increased agility to operational efficiency, a new competitive advantage, and reduced sales delays due to privacy concerns.
This tells us that even though the GDPR was thought to be a significant challenge to businesses, the regulation has set a range of improvements into motion. The aforementioned data privacy study states these improvements have led to increased business efficiency and even reduced downtime associated with data breaches. It’s clear that by insisting companies identify the location of personally identifiable data and to apply the appropriate protections, regulations like the GDPR and CPRA have drawn companies’ attention to the data lifecycle and prompted them to develop stronger security measures.
Once you’ve evaluated your organization’s privacy and data practices you can capitalize on your newfound knowledge by preparing to make meaningful changes. These can include developing and implementing internal processes, procedures, and security controls for storing, managing, sharing, and transferring personal data. CIOs and AppOps professionals can coordinate a cross-functional effort between their privacy and product teams to unlock new business opportunities. There’s huge potential to enhance existing offerings to make it simple for customers to use your products and services in compliance with upcoming legislation.
As a leader in your organization, it’s important to be agile in response to future changes that can impact your business. In anticipation of new privacy legislation in Canada, it’s important to develop a mature data environment that protects its stakeholders and gives the data lifecycle the attention it deserves. Because privacy is no longer just about compliance. It’s key to ensuring satisfaction, earning trust, and staying competitive.