Article Content
Privacy is more than a policy that you place on your website assuming that nobody will read it. For businesses, privacy is a cultural factor; it is a business enabler. In the current state of things, privacy should be an elevated component of a business’s unique selling proposition.
Why Are We Even Talking About This?
Because it’s relevant, now more than ever, your business will need a privacy management program. Given the reach of Quebec’s Bill 64, companies must prepare to prove compliance. Alongside other obligations, this Bill introduces privacy impact assessment requirements and privacy by design as a standard.
The concept of a privacy management program isn’t new. Back in 2012, the Privacy Commissioners of Canada, British Columbia, and Alberta launched a “Getting Accountability Right with a Privacy Management Program” guidance. Its purpose was to highlight what those regulators expected to find in a business’ privacy program. Their thought process focused on accountability, one of PIPEDA’s principles. Since then, privacy challenges have only increased.
What Is A Privacy Management Program?
A privacy management program is a set of mechanisms developed by an enterprise to enable privacy protection throughout the information lifecycle.
The mechanisms we alluded to above include, among others, an analysis of:
- Internal factors such as corporate culture, risk appetite, existing policies and procedures, contractual obligations, initiatives involving personal information, technologies employed by the organization.
- External factors comprising things such as an analysis of third parties who have access to the personal information you collect, compliance baseline (laws, regulations, standards), and social perception at the time of developing the program strategy.
- Company-specific requirements: How does the privacy program fit within the overall strategy?
Based on those factors and requirements, the company develops a series of policies, procedures, business processes, training materials; overall, increased awareness and an improved privacy culture. A privacy management program must evolve continuously to meet ever-changing privacy standards, legislative and regulatory requirements. Changes should also be driven by the company’s evolution: Its use of new technologies, different sources of personal information, new vendors, etc. Having a program in place will allow you to be agile in implementing required changes and demonstrating compliance; it will also boost the company’s reputation and drive the level of trustability it commands.