Who’s responsible for privacy Compliance when collecting in Canada and abroad?
As technology continues to advance and become more integrated into our daily lives, it's important to remember that with the convenience and benefits it brings also comes the need for privacy and compliance.
One of the main reasons why privacy and compliance are important in business is because of the vast amount of personal information that is collected and stored by companies. This includes things like names, addresses, phone numbers, email addresses, and financial information. It's crucial that this information is protected and used in a responsible manner, as a breach of this information could have serious consequences.
Today, we’re going to cover two common questions we get when companies are sorting their privacy policies:
1. Is there anything I need to do if my company collects personal information internationally — Not just in Canada?
Just like a long-distance relationship, managing a relationship from across the world is no walk in the park, and neither is collecting and using data from the EU or UK.
A company needs to comply with the privacy legislation of the jurisdiction the data comes from. For example, if you have EU users on your application, you must comply with the GDPR, even if your business is located in Canada. Now, this can get confusing because different privacy legislations across the globe have different requirements. Some are more strict than others.
While each case needs to be handled differently, generally, it is easier for companies, to streamline their privacy approach and treat all data the same. If this is the approach your company wants to take, then you should take the strictest legislation (often the GDPR) and implement it across the board.
By taking the most restrictive approach, not only are you developing a gold standard privacy practice, but you will be ready and agile for changes in jurisdictions that will change their privacy laws to be more in line with the stricter regulations, as we are starting to see in Canada.
Congrats! You now know the specifics about collecting information from across the pond, but knowing your privacy compliance will not get too far if you don’t have someone accountable for your privacy function.
2. Who in my organization needs to be responsible for privacy?
According to recent legislation in Quebec and GDPR, if your company doesn’t have a designated privacy officer, the person with the highest authority within your business (likely the CEO) will ultimately be held accountable for your privacy function.
This is a hefty amount of responsibility to put on a CEO (which likely could be you), so it’s always advisable to have someone who understands privacy and can identify privacy risks be designated for that role and leave the CEO to the other 101 things they need to deal with.
Now we know that most small businesses cannot afford to hire someone full-time. Even if you give the job to someone internally, as a part-time position, that person may not know privacy compliance and, therefore not be able to identify privacy risks.
Companies in those situations may consider hiring a privacy advisor or a fractional privacy officer to be their accountability partner in privacy and assist them with privacy compliance. If this is something that you think you’r business could benefit from, or have more questions about privacy in general, book a free meeting with our team to see how we can help your business succeed.