On several occasions since 2019, I’ve co-presented a workshop on privacy and security with a local IT company, who provides small and medium-sized businesses (SMBs) with high-quality managed IT services. They implement and control technical safeguards for their clients, but if their work isn’t supported with a privacy framework, they often end up dealing with data breaches, which could have been prevented. I really enjoy these presentations, because they connect privacy and IT together to reduce risk, maximize data protection and help businesses to grow and succeed.
What does privacy do that IT security doesn’t?
IT security protects data – once you have the data. What it doesn’t do is examine what data you have, how you collect it, what you do with it, how you share it, how long you keep it, how you destroy it or why you collected it in the first place. All of this matters, because if your business is located within British Columbia (BC) and it collects, uses or discloses personal information (PI), you are obligated to comply with BC’s Personal Information Protection Act.
What is the Personal Information Protection Act (PIPA)?
Effective as of January 2004, the Personal Information Protection Act states the rules, by which private sector organizations can collect, use and disclose PI from employees, customers and clients, and requires organizations to protect and secure PI against unauthorized use or disclosure.
The Office of the Information and Privacy Commissioner for British Colombia (OIPC) provides independent oversight and enforcement of the PIPA. Its mandates include investigating and resolving privacy complaints, and if there are reasonable grounds for non-compliance or if it is in the public interest, initiating investigations and audits of organizations.
What do I need to do to be compliant?
Compliance includes organizational commitment, program controls and ongoing review and assessment of the program controls. I recommend the OIPC’s guidance document, , to understand what you need to do to make sure your business is compliant.
Why should I make this a priority?
Protecting PI shouldn’t just be something you do to be compliant with the law. From an ethics and integrity perspective, it’s the right thing to do. Individuals retain the rights to their PI, even after they provide it to you for specific purposes. They rely on you to safeguard their PI – just as you would expect and rely on other businesses, who collect your PI to safeguard it for you.
From a risk and cost perspective, SMBs have much more to lose from data breaches. They just don’t have the financial resources to recover from a major breach and the ability to survive the damage to their reputation, in the same way large companies can.
Also, organizations who develop a strong privacy culture are better positioned to reduce human error related to breaches, improve their brand value through loyalty based on trust, differentiate themselves from their competition and adapt quickly to regulatory changes.
Why is this important now?
In Canada, provincial privacy law must be substantially similar to federal law. With Bill C-11 in its second reading in Ottawa and this proposed new federal law including an allowance for the privacy commissioner to request access to an organization’s privacy management program at any time, you will need to have one in place. Knowing that it can take several months to pull one together, I’d advise you to start now. Besides, with all the benefits related to compliance, why delay this when you can start to take advantage of them now?
Marilyn Sing is a privacy consultant, who focuses on helping small and mid-sized businesses reach compliance with BC’s Personal Information Protection Act.
Here to Help
No matter what stage of your business journey you’re at, Small Business BC has the resources you need to succeed in 2021. Check out our range of business webinars, our Talk to an Expert Advisories, or browse our selection of business articles.