As a  Canadian-based business, recent changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) / Digital Privacy Act could mean significant changes in how you gather personal information from customers, employees and Canadian residents, what you do with the data you’ve collected, and how you handle breaches in security on your network.

Recent security breaches at Equifax and Uber, as well as other high-profile companies, both in Canada and abroad, have resulted in a public outcry for better regulations to protect consumer privacy.

The Digital Privacy Act, the most recent amendment to PIPEDA, is designed to force businesses to be more proactive about the security of customer information and protect consumer interests.

When the Digital Privacy Act is enacted, organizations and commercial businesses will be required to:

1. Report security breaches that might cause significant harm to the Office of the Privacy Commissioner of Canada

This means more transparency for Canadian residents / consumers about future breaches. But it can also mean big hits to consumer confidence in your business if your company experiences even a minor breach in security.

2. Maintain records about any security breach for a minimum of 2 years

This means you’ll need to pay more attention to the documentated procedures you utilize and create a plan to make information about security breaches available for up to 2 years.

Organizations that fail to comply with the new reporting requirements could face significant fines, up to $100,000 per violation.

In light of these new regulations it’s obvious that security needs to be a primary concern for your business. As the old saying goes, the best defense is a good offense. Here are some things you should be doing right now to minimize your risks and protect your customers’ valuable information.

What Is Personal Information?

Before you can create an effective plan for safeguarding your customers’ information, it’s important to understand what is included in the definition of personal information.

Personal information is any data that identifies a specific individual or that could be used to steal another person’s identity.

Examples of personal information include:

  • Name
  • Social Insurance number
  • Driver’s Licence number
  • Age
  • Mailing address
  • Email address
  • Phone number
  • Marital status
  • Education level
  • Race, nationality or ethnic origin
  • Religious affiliation
  • Fingerprints or voiceprint
  • Medical records, including blood type, test results, diagnoses, DNA information
  • Financial information including income, bank accounts, credit card numbers, loan information, tax returns and credit reports
  • Customer behaviour data including spending habits and transaction history

 

Tips to Keep Personal Information Safe

Limit the Amount of Personal Information You Collect

Current PIPEDA regulations require businesses to collect the least amount of personal information that will allow them to complete the transaction or provide a product or service. You are permitted to collect additional information; however you must make such requests for information optional. You may also ask for permission to use the collected information for a secondary purpose, such as marketing, however permission must be optional.

In addition to following the PIPEDA guidelines, carefully evaluate the information you collect and determine if it is truly necessary. The less personal information you collect, the less vulnerable your business will be to data breaches and the less time you will spend securing that information.

Add Safeguards to Protect Personal Information

Carefully evaluate the information you collect from consumers, where it is stored and for how long. You should have a plan in place to encrypt or password protect sensitive information on all devices including desktops, laptops, servers, portable hard drives, or USB keys.

Limit Access to Sensitive Information

Access to sensitive personal information should only be granted to employees who need the information in order to perform their job functions. It is important to create layers of security and limit access whenever possible.

Provide Details of Your Security Policy to Customers

Make sure every customer has access to a copy of your complete privacy policy that includes the information you collect, why you collect the information and how the customer can contact you to make corrections to the information you have on file.

Invest in Proper Training

Make sure all employees are trained on the company procedures for safeguarding personal information and regularly review policies and procedures as they change.

Invest in Advanced Security Measures

If you do not have a dedicated IT support staff onsite, hire a trusted IT company to audit your network, update your security, and monitor your network 24/7 to prevent breaches and catch hacking attempts or data theft sooner.

While compliance with the latest security regulations can be a challenging prospect, especially for small and medium-sized businesses, getting the right security in place not only protects your customers’ valuable information, but will also protect your reputation and establish your business as a trusted brand that will help you continue to grow and prosper.

Do you need help to get your security procedures in order to prepare for the latest PIPEDA amendment? Get the peace of mind you need to comply with the new regulations and keep your network secure with better information management, 24/7 security monitoring and free cyber security education from the Technical Action Group.