The Canadian Marketing Association recently published two new privacy guides that are designed to help small and medium-sized Canadian businesses better understand and comply with the provisions of the federal Personal Information Protection and Electronic Documents Act.
The
first guide, titled Privacy Models that Work — A Guide for Canadian Organizations — includes perspectives from chief privacy officers on how the privacy function is positioned in their organization, processes and key roles and responsibilities.
The second, Best Practices in Data Management — A Guide for Marketers — is based on best practices in data management at some of the top companies in Canada, and covers collecting, using, safeguarding and sharing data.
Both publications are available on the CMA Web site.
Pipeline spoke to Ed Cartwright, senior director of communications for the CMA, about why the guides were issued and how they can help IT marketers better comply with privacy legislation.
Pipeline: Why are these guides necessary at this point? It seems there are a number of such guides that have come out, so what makes these different?
EC: We were awarded $50,000 from the federal privacy commissioner (to look into) best practices in privacy, but also to look at small business — their compliance and knowledge of privacy laws. What the study told us was that upwards of about one third of small businesses — most of those we would classify as having fewer than five employees — have assigned a person to be responsible for privacy in their organization. What we also found was only about one quarter have a formal privacy policy. The concern we had was, we have a law that has been around for private industry since January of this year and small businesses are struggling with it. And in many cases they are not even aware there is a federal privacy law. In fairness to them we have not seen a lot of education on the law itself. I would think it is as frustrating for the privacy commissioner’s office as well, because they would be looking for more funding to conduct more outreach, so there was a two-pronged approach, but the research won’t be available until the fall.
We said, “Let’s talk to some of Canada’s leading companies and get their views on best practices in data management, particularly in the areas of how data is collected and used, shared and safeguarded, and to put that together in a best practices document.” It’s not specific to small business, but there are models that would work for small business
Pipeline: In smaller organizations, who is responsible for privacy?
EC: You would hope it is the most senior person in the company or someone who might have an HR responsibility or IT responsibility who understands security risks. That’s where we’re seeing privacy parked in many companies anyway — sometimes you do see it parked with the marketing department, but at least with IT they would have an understanding of how it covers the whole company.
Pipeline: What issues do small and mid-sized organizations still struggle with at this point?
EC: They struggle with compliance with the law because there is a number that says only abut half even think the privacy applies to them, and that’s pretty serious. It’s a struggle for small and mid-sized businesses particularly because they’re not aware of what the responsibilities are, and they don’t have the luxury of a big machine behind them on the corporate side who can look at it. It’s the owner/operator responsible for pretty well everything, or that person’s one support staff they have in an admin function. The other tip for small business is ensure your legal counsel is up to speed on (the legislation). That being said, the act and the law say companies have to appoint someone responsible for privacy in the organization.
Pipeline: How are marketing organizations dealing with the issues that have emerged since the legislation came into effect? Are there any privacy issues that are specific to IT marketing firms?
EC: Security is a huge issue. With the recent incidents we’re seeing in Canada and the U.S. with breaches of consumer data, it’s a really serious issue for the whole marketing community and business in general. Particularly because the federal privacy law is up for review in 2006, there is the very real threat of tougher enforcement and laws, and with the incidents we’ve seen in Canada and the U.S. those incidents will not serve us well because of the exposure we’re getting.
Pipeline: One of the issues that seem to have emerged is figuring out who in an organization is responsible for protecting a customer’s privacy. The privacy officer by virtue of his or her title is automatically conferred that responsibility, but it’s really often the front-line people who end up being the ones who have to deal with it. Are smaller organizations in general putting enough education and training into those front line people — the call centre reps, the sales reps?
EC: It’s hard to say. I wouldn’t even want to guess. There would be a number of organizations and companies that are, but the bigger concern is those that aren’t, so how do we reach them? That’s one of the reasons these two guides were developed.
Pipeline: One of the models outlined in the publication talks about using privacy as an opportunity within the marketing function. What are those opportunities?
EC: It’s something we’ve always supported. Privacy is good for business and (it is good) to make it very transparent — what you do with someone’s information and how you use it. (If you are) very upfront with them, and if you are a reputable company and (customers) believe you take privacy seriously, that can only reap benefits on the marketing side. We’ve been very supportive of companies that have been honest and transparent and forthright with what they do with customers’ information.
Pipeline: One of the best practices in the guide calls for a single view of the customer. Considering that not that many large businesses even have this yet, how practical is that advice for SMBs?
EC: It would be tougher, and perhaps a model that wouldn’t work, but then again they might not have as many customers, so it might allow them to segment and get to know their makeup and demographics.
Pipeline: What qualifications should a privacy officer have? For marketing organizations, what other capabilities or experience would you recommend looking for in hiring a privacy officer?
EC: Certainly a thorough understanding of the law but also (the ability to) drill down to see how it applies in practice. (It should be) someone who has as well taken some type of professional development in privacy –not just the legal elements, but the practical elements, and (someone who knows) what privacy models really work.
Pipeline: There is a section in one of the guides that recommends companies have regular audits of the privacy policies. Do smaller organizations ever use the equivalent of a secret shopper to test how their staff is handling their privacy policies?
EC: I’m not aware. I would certainly support any type of audit. It should be done on a regular basis and at regular intervals so you can ensure you’re keeping up with best practices, and not falling behind. I think it’s important to get a better feel for how your staff are representing you as far as consumer privacy or business privacy are concerned.
Comment: [email protected]
