The Canadian Privacy Commissioner’s office released a survey of privacy attitudes among 1500 Canadians late last week, which had some surprising results. In particular, CIOs should be concerned about how individuals view businesses’ treatment of their personal data.
Seventy seven per cent of Canadians overall have refused to give personal information to an organization at some point. In the last year or so, one in three people had asked a company how it uses or protects the information before doing business with it, and 43 per cent of those people subsequently refused to do business with the company.
Eighty one per cent of respondents said that they would decide whether to do business with a company based on its reputation for privacy practices.
Seventy eight per cent of people are also less willing than they were to share their personal information with organizations, following media stories about sensitive data being made public. With organisations from Target to Home Depot suffering huge breaches, it’s no wonder that consumers are worried.
What should CIOs draw from all this? Sylvia Kingsmill, national privacy practice leader at Deloitte Canada, said that it could have a detrimental effect on the use of customer data for marketing and other purposes.
“This will have a stifling effect on consumer initiatives where many companies have built or are building data repositories and analytics capabilities, or exploring the art of the possible with consumer data for many initiatives like direct-to-consumer e-commerce programs, or loyalty programs,” Kingsmill said.
Companies should be positioning themselves to win back consumers’ trust, she added. Instead of reviewing privacy and data security practices as simply a risk management issue, companies could be using this as a brand building exercise, she warned.
How does that happen? Focus on Privacy by Design, she said. This concept, articulated by former Ontario privacy commissioner Ann Cavoukian, focuses on embedding privacy into an organisation’s operations from the ground up, and it’s something that requires senior management involvement.
“This means putting the Chief Privacy Officer in the C-Suite and elevating this executive with ultimate responsibility for data privacy to send a message to the marketplace that companies are taking privacy seriously,” she said. “It also means having a solid privacy policy in place, without technical jargon that acts more like a marketing tool rather than a legal document.”
Kingsmill advises companies to carry out risk assessments on a regular basis, including measurable metrics to gauge the effectiveness of privacy practices. And this information should be fed back to the board, she added.
Organizations should be folding both cybersecurity and operational processes around data handling into their planning. This will help to stop hackers pilfering customer data, while also preventing staff from sending people’s sensitive personal information to other people because an organization lacks the proper operational governance.
One of the problems for Canadian consumers is that there is no federal data breach disclosure legislation at present. Alberta introduced data breach notification measures at the provincial level, with its own private sector Personal Information Protection Act (PIPA) law, which is now in effect again after having been amended to render it valid under constitutional law. There are also several sector-specific data notification laws in some Canadian provinces.
At the federal level, there have been several attempts to introduce data breach notification laws, with bills C-29 and Bill C-12, both of which failed to reach law. Now, Bill S-4 plans to implement data breach notification measures for companies.
“The feds need to keep pace not only with their provincial counterparts, like Alberta, Ontario, Newfoundland and New Brunswick, which mandate breach notification for the private and health care sectors, respectively, but also with the US which has breach notification laws in almost every state,” said Kingsmill.