The recent reform of the Act respecting the protection of personal information in the private sector (“Bill 25”)[1] raises no shortage of questions for organizations. In particular, some are wondering where to start and how to make sure they are in compliance with their new obligations while at the same time mitigating the risks associated with processing personal information. Adopting a privacy compliance program is therefore an important step to take in order to effectively meet all of the applicable statutory requirements, especially those relating to the implementation of preventive protection measures.
This series of bulletins, presented in chapter form, will demystify this concept and suggest concrete measures for initiating compliance.
Chapter 1: What is a privacy compliance program and why have one?
What is a privacy compliance program?
It is a “structured approach of combining several disciplines into a framework that allows an organization to meet legal requirements and the expectations of business clients or customers”[2]regarding privacy.
A privacy compliance program is therefore different from a compliance framework. A compliance framework could be defined as a set of rules, structures, processes or other key controls that enable the organization to manage and mitigate its compliance risks. It may be composed of a number of inputs, such as the organization’s applicable statutory obligations or recognized personal information protection standards (for example: ISO/IEC 27701:2019). The program itself is the method that puts that framework in place and makes it work within the organization. It is supported by individuals identified within the organization and it encompasses designing the compliance framework and integrating it into the organization’s activities and also implementing the organization’s governance and oversight and management of the associated risks.
What purpose does it serve?
The purpose of implementing a privacy compliance program is to identify, prevent and address privacy protection risks (such as data leakages) and to comply with statutory obligations. It can also provide organizations with a number of unexpected benefits.
For example, in addition to helping to enhance confidence on the part of customers, employees and partners, or, more broadly, the public, by promoting a culture of privacy protection, the privacy compliance program makes it possible to optimize certain processes or activities.
These include:
- Structuring or automating the processes associated with individuals’ exercise of rights in relation to their personal information (access and rectification, but also the new rights regarding data portability and deindexation[3]);
- Providing persons concerned with the required information regarding the personal information collected by the business[4] in order to enhance their confidence in the business;
- Identifying and locating personal information in order to facilitate protection of the information;
- Giving the organization’s executives and directors the information needed for making informed decisions;
- Adding value to the organization’s data by making sure that it is up to date, that use of the data is properly documented, and that it can be used in a compliant manner, including by obtaining the appropriate consents;
- Mapping the organization’s personal information protection obligations, attaching them to existing processes or controls (relating to information security, for example), to reduce compliance costs in the long term and even to optimize performance of the processes and controls;
- Ensuring effective and optimal management of the various statutory and regulatory requirements for organizations operating in several jurisdictions;
- Optimizing due diligence on the part of sellers, service providers or mandataries;
- Being proactive, agile and efficient when confidentiality incidents occur that affect personal information, for example by having clearly defined roles and responsibilities and pre-established response plans, and by having a better picture of the organizational risks in this area and of the applicable legal and regulatory obligations.
Conclusion
The purpose of the first chapter in this series was to familiarize you with the privacy compliance program concept and to stress its importance by explaining the benefits it can provide for your organization. In the next chapter, we will address the important question of the roles and responsibilities of the parties involved in the privacy compliance program and introduce the models for the structure of the team responsible for it.
[1] This reform was effected by the enactment of Bill 64 on September 22, 2021, making it the Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25, amending the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1.
[2]Russell DENSMORE, “Introduction to Privacy Program Management”, in Privacy Program Management. Tools for managing privacy within your organization. 2nd ed., Portsmouth, International Association of Privacy Professionals, 2019, 254 pp., at p. 1.
[3] On this point, see sections 27 paras. 1, 28, and 29 of the PPIPS, articles 38 to 40 of the Civil Code of Québec, and sections 27 paras. 1 and 3, 28, 28.1, and 29 of Bill 25. To learn more :https://www.fasken.com/en/knowledge/projet-de-loi-64/2021/09/23-debut-temps-nouveau-secteur-prive-pl-64-adopte.
[4] For example, section 8 para. 3 of Bill 25 requires that organizations inform the person concerned, on request, of the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.