Data privacy has become an increasing concern for businesses, with the introduction and continuous expansion of privacy regulations like PIPEDA, HIPAA and GDPR to name a few businesses have more responsibilities than ever to their clients. As a business owner, manager or employee it is important to understand the responsibilities that your company has and the rights of each user whose data you collect. Fortunately many compliance regulations have a tremendous amount of overlap in the privacy rights that they afford customers. In this article we will go over all of the main data privacy rights that consumers have in Canada, while this doesn’t cover everything single things from every regulation it will cover the vast majority of data rights that any business in Canada needs to be aware of: 1) User Consent
The first thing any business should be doing when they collect any type of customers data whether electronic or not, is to get user consent. This means that users should be notified that their data is being collected, told why it’s being collected and be required to consent to the collection and use of their data. You should use plain language that could be understood by anyone and refrain from using any type of industry jargon that could be interpreted as confusing. 2) Safeguards
It’s the responsibility of the company that is collecting the information to provide proper safeguards for the information. This means things like physical measures(e.g. locked filing cabinets and alarm systems), update-to-date technology (e.g. passwords, encryption, firewalls and security patches) and organizational controls (e.g. security clearances or access controls). The type of safeguard should be proportionate to the sensitivity of the information that is being protected.
3) Access, Accuracy and Correction
Customers should have a right to their data profile, this means that they should have access to all of the information that a company has collected on them. This should be provided to the customer in a short amount of time, usually within 60 days of them requesting it. Also, customers should be able to challenge the accuracy of the information and have the company correct any inaccurate information in their data profile. This should also be done quickly, usually required within 60-90 days depending on the regulation. 4) Data Deletion
Customers have the right to request the deletion of their data from a company. Unless required by law to keep that information, companies need to be able to comply with this request and have a customer's information deleted upon request, usually within 90 days of that request being submitted. Also, if a company doesn’t have any need for information they have gathered on a customer that information should be deleted. You should not be keeping customer information once there is no longer a business reason to have it.
5) Limited Collection You should not collect any information from a customer that you do not have a business purpose for. Limit your collection of client information to just the information you need to complete the business transaction and nothing more. 6) Limited Disclosure Even within your company, employees should only have access to information that they need to do their job and nothing more. Limit access of customer information within your company and to third parties to only what is absolutely necessary.
7) Breach Notification
You are required to notify affected customers if there has been any leak of their information outside of the company. This notification should be done as soon as possible but definitely within 90 days of you finding out about the data breach.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.