Data Privacy Day warning: Organizations that succeed take privacy seriously

Businesses should be worried that Canadians increasingly don’t trust them to handle their personal data and information generated through online buying, according to a senior federal privacy official.

In an interview to mark the 14th annual International Data Privacy Day, deputy privacy commissioner Gregory Smolynec noted that surveys show 90 per cent of Canadian respondents say they are very concerned about their inability to protect their privacy.

“Very high numbers of Canadians believe businesses do not respect their privacy right,” he added. “This should raise concerns.”

The few countries that began observing January 28 as Data Privacy Day to raise awareness of businesses, governments and consumers about data protection best practices have grown to 50. Yet judging by the regular reports of data breaches there hasn’t been much progress.

In November the Office of the Privacy Commissioner estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory federal data breach reporting.

In his annual report issued a month later, Privacy Commissioner Daniel Therrien repeated his plea for Ottawa to recognize privacy as a fundamental right in law.

The current law (the Personal Information Protection and Electronic Documents Act, also known as PIPEDA) and the Liberal government’s seeming unwillingness to consider giving his office much stronger enforcement power,  “create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws,” said Therrien.

A recent Novipro-Leger survey of 496 IT and other officials from Canadian companies released this week found that not quite half the companies (48 per cent) had reviewed their data practices in 2019. Fewer than half of respondents believed their organizations were very well protected against data loss (46 per cent), data breaches (44 per cent), and viruses (45 per cent).

“Canadian businesses have been slow to tighten up their practices and are struggling to respond to the growing threat,” concluded the report. (Registration required)

On the other side, a recent survey released by data management provider Tealium showed half of U.S. consumer respondents don’t feel well informed about how businesses are using their data.

Related:

Organizations don’t have to sacrifice privacy for security

Asked if businesses don’t take privacy seriously, Smolynec noted new communications technologies are having an impact on privacy and expose businesses to vulnerabilities.

“There are some businesses that are not compliant (with PIPEDA), there are other businesses that have to develop robust privacy programs and cybersecurity measures to protect themselves.”

To show Canadians they are tough about privacy businesses need to make sure they follow PIPEDA and get “meaningful consent” to the personally identifiable data they collect, he said. That includes explaining what personal information is being collected, the purpose of the collection, who it is being shared with, how it may be used and any potential risks. The OPC website has advice for businesses on consent here.

“It’s very critical for businesses to pay close attention to their processes related to [data] security and they have to make sure they have invested and structured themselves to address the risks of breaches,” said Smolynec. “That will help improve trust.”

Research firm Gartner also believes organizations need to pay more attention to the link between privacy and trust. Privacy is becoming a reason for consumers to purchase a product, in the same way that “organic,” “free trade” and “cruelty-free” labels have driven product sales, it said in a note earlier this month.

“Privacy-first products are likely to follow this trend,” said Bart Willemsen, a Gartner vice-president. “To increase customer trust, executive leaders need to build a holistic and adaptive privacy program across the organization, and be proactive instead of responding to each jurisdictional challenge.”

Related:

Supreme Court of Canada ruling on privacy

More than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws, following the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018.

“People are actively demanding privacy protection — and legislators are reacting,” said Willemsen. “If your organization operates globally, focus on standardizing operations in accordance with the GDPR, and then adjust as required for local requirements.”

He suggests using technology solutions that automate portions of a privacy management program. He also urged organizations to appoint a data privacy officer who reports to the board.

Dave Masson, Ottawa-based director of enterprise cybersecurity for Darktrace, said in an interview that Data Privacy Day should mean to an organization that — if it isn’t already doing so — it has to start protecting the personally identifiable information of customer and employees. The consequences of data theft could be “disastrous,” he said, including lawsuits and severe damage to the organization’s reputation.

“Organizations still struggle with visibility of what they have on their network,” he said, emphasizing the complexities introduced by cloud architectures. “That’s one of the problems — they can’t see what they’ve got.

“If I was an organization and confident in my security approach, I would be very proud to point out [on Data Privacy Day]  out what’s in place … as a way of assuring people you’re taking this seriously.”

Related:

Privacy Commissioners slam B.C. firm in Facebook scandal

Organizations need to take “trust-worthiness” more seriously, Eve Maler, interim CTO of digital identify provider ForgeRock, said in an interview.

Data regulations have been around for years, she argued, but they have focused on basic data protection. Newer regulations demand data transparency — telling consumers what the firm knows about them — and allowing customers more control over their data. So successful organizations need to go beyond compliance to establish trust.

Organizations have to think more carefully about the privacy implications of their products, she said. For example, one company has had to withdraw what it hoped was a promising child bedroom monitor after complaints it wasn’t secure.

“That’s an awfully expensive way to go to market,” Maler said.

To impress customers, firms should also look at the personal data they collect as a joint asset, she added.

In the run-up to Data Privacy Day, a number of firms in the security space released statements warning of the need to act.

“We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach,” said Darrell Long, vice-president of product management at One Identity. “Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs.”

Data Privacy Day “is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data,” said Ray Overby, CTO and co-founder of Key Resources.

One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to corporate information.

“The more people with access to information, the more likely your data will be compromised,” he said. “These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.”

Another tip for organizations to improve data privacy practices, he said, is to accurately inventory, classify, and define data ownership.

Companies have to remember that consumers entrust them with their personal data, said Anis Uzzaman, CEO and General Partner of Pegasus Tech Ventures.

“On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before,” indicated Uzzaman. “Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make.”

When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting a thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms, said  Steele Arbeeny, CTO of SNP Group.

This will be the first year Data Privacy Day will be celebrated with the new tough California Consumer Privacy Act (CCPA), which came into effect at the beginning of January.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs