Businesses should be worried that Canadians increasingly don’t trust them to handle their personal data and information generated through online buying, according to a senior federal privacy official.
In an interview to mark the 14th annual International Data Privacy Day, deputy privacy commissioner Gregory Smolynec noted that surveys show 90 per cent of Canadian respondents say they are very concerned about their inability to protect their privacy.
“Very high numbers of Canadians believe businesses do not respect their privacy right,” he added. “This should raise concerns.”
The few countries that began observing January 28 as Data Privacy Day to raise awareness of businesses, governments and consumers about data protection best practices have grown to 50. Yet judging by the regular reports of data breaches there hasn’t been much progress.
In November the Office of the Privacy Commissioner estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory federal data breach reporting.
In his annual report issued a month later, Privacy Commissioner Daniel Therrien repeated his plea for Ottawa to recognize privacy as a fundamental right in law.
The current law (the Personal Information Protection and Electronic Documents Act, also known as PIPEDA) and the Liberal government’s seeming unwillingness to consider giving his office much stronger enforcement power, “create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws,” said Therrien.
A recent Novipro-Leger survey of 496 IT and other officials from Canadian companies released this week found that not quite half the companies (48 per cent) had reviewed their data practices in 2019. Fewer than half of respondents believed their organizations were very well protected against data loss (46 per cent), data breaches (44 per cent), and viruses (45 per cent).
“Canadian businesses have been slow to tighten up their practices and are struggling to respond to the growing threat,” concluded the report. (Registration required)
On the other side, a recent survey released by data management provider Tealium showed half of U.S. consumer respondents don’t feel well informed about how businesses are using their data.
Organizations don’t have to sacrifice privacy for security
Asked if businesses don’t take privacy seriously, Smolynec noted new communications technologies are having an impact on privacy and expose businesses to vulnerabilities.
“There are some businesses that are not compliant (with PIPEDA), there are other businesses that have to develop robust privacy programs and cybersecurity measures to protect themselves.”
To show Canadians they are tough about privacy businesses need to make sure they follow PIPEDA and get “meaningful consent” to the personally identifiable data they collect, he said. That includes explaining what personal information is being collected, the purpose of the collection, who it is being shared with, how it may be used and any potential risks. The OPC website has advice for businesses on consent here.
The OPC today also issued a package the public can use to spark discussion about privacy.
“It’s very critical for businesses to pay close attention to their processes related to [data] security and they have to make sure they have invested and structured themselves to address the risks of breaches,” said Smolynec. “That will help improve trust.”
Research firm Gartner also believes organizations need to pay more attention to the link between privacy and trust. Privacy is becoming a reason for consumers to purchase a product, in the same way that “organic,” “free trade” and “cruelty-free” labels have driven product sales, it said in a note earlier this month.
“Privacy-first products are likely to follow this trend,” said Bart Willemsen, a Gartner vice-president. “To increase customer trust, executive leaders need to build a holistic and adaptive privacy program across the organization, and be proactive instead of responding to each jurisdictional challenge.”
Supreme Court of Canada ruling on privacy
More than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws, following the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018.
“People are actively demanding privacy protection — and legislators are reacting,” said Willemsen. “If your organization operates globally, focus on standardizing operations in accordance with the GDPR, and then adjust as required for local requirements.”
He suggests using technology solutions that automate portions of a privacy management program. He also urged organizations to appoint a data privacy officer who reports to the board.
Dave Masson, Ottawa-based director of enterprise cybersecurity for Darktrace, said in an interview that Data Privacy Day should mean to an organization that — if it isn’t already doing so — it has to start protecting the personally identifiable information of customer and employees. The consequences of data theft could be “disastrous,” he said, including lawsuits and severe damage to the organization’s reputation.
“Organizations still struggle with visibility of what they have on their network,” he said, emphasizing the complexities introduced by cloud architectures. “That’s one of the problems — they can’t see what they’ve got.
“If I was an organization and confident in my security approach, I would be very proud to point out [on Data Privacy Day] out what’s in place … as a way of assuring people you’re taking this seriously.”
Privacy Commissioners slam B.C. firm in Facebook scandal
Organizations need to take “trust-worthiness” more seriously, Eve Maler, interim CTO of digital identify provider ForgeRock, said in an interview.
Data regulations have been around for years, she argued, but they have focused on basic data protection. Newer regulations demand data transparency — telling consumers what the firm knows about them — and allowing customers more control over their data. So successful organizations need to go beyond compliance to establish trust.
Organizations have to think more carefully about the privacy implications of their products, she said. For example, one company has had to withdraw what it hoped was a promising child bedroom monitor after complaints it wasn’t secure.
“That’s an awfully expensive way to go to market,” Maler said.
To impress customers, firms should also look at the personal data they collect as a joint asset, she added.
In the run-up to Data Privacy Day, a number of firms in the security space released statements warning of the need to act.
“We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach,” said Darrell Long, vice-president of product management at One Identity. “Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs.”
Data Privacy Day “is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data,” said Ray Overby, CTO and co-founder of Key Resources.
One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to corporate information.
“The more people with access to information, the more likely your data will be compromised,” he said. “These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.”
Another tip for organizations to improve data privacy practices, he said, is to accurately inventory, classify, and define data ownership.
Companies have to remember that consumers entrust them with their personal data, said Anis Uzzaman, CEO and General Partner of Pegasus Tech Ventures.
“On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before,” indicated Uzzaman. “Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make.”
When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting a thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms, said Steele Arbeeny, CTO of SNP Group.
This will be the first year Data Privacy Day will be celebrated with the new tough California Consumer Privacy Act (CCPA), which came into effect at the beginning of January.