Services
Aucun résultat

Nos gens
Aucun résultat Afficher tous les gens

Perspectives
Aucun résultat Afficher toutes les perspectives

Nouvelles
Aucun résultat Afficher toutes les nouvelles

Afficher tous les résultats
Nos gens
Nos gens

Services

Perspectives
Perspectives

Carrières
- Professionnels du droit
  Découvrez pourquoi BLG est le cabinet de choix pour les avocats chevronnés et les nouveaux diplômés qui souhaitent faire progresser leur carrière.
  En savoir plus
- Paraprofessionnels
  Nos parajuristes, commis juridiques et autres paraprofessionnels font partie intégrante de notre réussite. Découvrez-en plus à ce sujet.
  En savoir plus
- Professionnels des Services à l'entreprise
  De nombreuses possibilités de carrière s’offrent à vous au sein de nos Services de soutien juridique et de nos Services à l’entreprise. Trouvez l’occasion qui vous convient.
  En savoir plus

Étudiants
- Étudiants
  En savoir plus
- - Calgary
  - Montréal
  - Ottawa
  - Toronto
  - Vancouver

À propos de nous

Communiquer avec nous
Centre des médias
S’abonner
Nos anciennes et anciens

Services
Aucun résultat

Nos gens
Aucun résultat Afficher tous les gens

Perspectives
Aucun résultat Afficher toutes les perspectives

Nouvelles
Aucun résultat Afficher toutes les nouvelles

Afficher tous les résultats
- Langue
  - Français
  - Anglais

Perspectives

Perspectives
2022 Privacy risk management – Top tips for organi...

Nous sommes désolés. Le contenu de cette page n'est présentement disponible qu'en anglais.

10 mai 2022

2022 Privacy risk management – Top tips for organizations

Changing laws and privacy culture around the world, a growing sophistication of cybersecurity threats, innovations in response to the COVID-19 pandemic and environmental, social and governance priorities, increased data outsourcing and a peak in M&A deal activity means that privacy issues are more prevalent than ever.

Organizations know that the consequences of failing to safeguard personal information in the face of an incident can be enormous. What steps should they prioritize to mitigate risks and mature their privacy management programs?

This article identifies our five top tips and a checklist to get you started.

1. Respond, don’t react: Accountability and governance

We are seeing a significant trend towards development and reform of privacy laws across Canada and globally. In Canada, modernization of privacy laws has generally involved enhanced transparency of organizations’ practices, increased consumer control of personal information, addressing new/emerging technology issues (such as pseudonymized and anonymized information, automated decision-making and biometrics) and bolstered enforcement powers of privacy commissioners. See BLG's previous articles Changes to B.C.'s public sector privacy legislation, Special committee recommendations to modernize B.C.’s private sector privacy law and Québec Privacy Law Reform: A Compliance Guide for Organizations for more information.

Organizations should take steps to mature their privacy management programs to comply with – or to prepare to comply with – modernized privacy laws, rather than reacting to changes.

Directors and senior management

Prepare directors and senior management for potential legislative changes, potential impacts of those changes and resourcing challenges.

Policies and procedures

Conduct an inventory of the policies and procedures in place to protect personal information throughout its life cycle.

Identify and consider the approach in addressing any gaps in the policies and procedures.

Confirm that the organization has a platform to share its policies and procedures on its internal and external websites (as applicable).

Employee training

Confirm that the organization has a training program for employees who handle or have access to personal information.

Data mapping

Conduct a data mapping exercise to document the organization’s personal information and its management practices – this is the foundation to any program! External legal counsel can support a data mapping exercise by providing departmental surveys.

Prepare inventories of technological products or services offered internally or externally that collect personal information. Also prepare inventories of consent forms or other documents used to obtain consent from individuals with respect to their personal information.

Confirm that the organization’s personal information, management practices and inventories are classified under its document management protocols.

Data minimization and retention

Confirm that the organization is not collecting more personal information than it needs.

Confirm that the organization is not retaining personal information for too long.

Other departments

Involve and leverage departments other than just legal (such as IT/security, human resources, procurement and operations) to enhance organizational accountability as a whole.

2. More than just IT: Incident response

The volume and sophistication of cybersecurity threats and incidents involving personal information increased during the COVID-19 pandemic and so did insurance premiums. Regardless of size, industry, or even cyber maturity, a cybersecurity incident can be challenging and costly for an organization.

Organizations should takes steps to implement and regularly update an appropriate incident response plan to respond to cybersecurity incidents when – not if – they happen. An effective incident response plan is short, straightforward and actionable. Most importantly, it involves more than just the IT department.

Incident response team

Define clear roles and responsibilities for incident response internally (including communications and other departments) and externally (including managed security service providers, forensics consultants, public relations advisors, external legal counsel and insurance providers) and keep a contact list of those involved (including back ups).

Engage external firms and service providers now, so that they are prepared in the face of a cybersecurity incident. Involve and coordinate with the insurance provider during this process, as the insurance provider might only work with select firms and service providers.

Develop a legal privilege and legal compliance strategy. Working with external legal counsel as a cyber coach, rather than other types of experts, will preserve solicitor-client privilege and litigation privilege and ensure organizational legal compliance when responding to a cybersecurity incident. See BLG's previous article Cybersecurity incident response – Tips from the trenches.

Define communication channels internally and externally and prepare a communication plan if the organization’s business email service or other usual communication channels are compromised by a cybersecurity incident.

Form a cyber/privacy committee of cross-departmental teams (including the privacy officer and IT/security) that meets routinely to create understanding, open dialogue and identify risks and solutions.

Identify where the organization keeps logs or records of any incidents.

Testing and refining

Test the incident response plan to reduce the risk of errors and streamline the response in the face of an actual cybersecurity incident. A tabletop exercise can help identify inefficiencies and impracticalities in the incident response plan.

Refine the incident response plan to address the inefficiencies and impracticalities identified during testing.

Cyber insurance

Understand the organization’s cyber insurance, including the insurance provider, the policy (e.g., limits, coverage amounts and the expiry date), the requirements for notification and incident response decisions and the associated expenses.

Avoid invalidating cyber insurance coverage by failing to follow the insurance provider’s requirements. For example, in a ransomware attack, the insurance provider will likely require specific steps to be taken prior to the consideration of payment of any ransom fee.

Engage external legal counsel to provide cyber hygiene insurability audits and thus streamline the insurance application and reduce costs. See BLG's previous article Cyber hygiene checklist: Tick these boxes to lower your cybersecurity risk and insurance costs.

Cyber risk mitigation

Take ownership of cybersecurity risk mitigation by implementing the data minimization principle, training employees to identify cybersecurity threats, assessing cybersecurity policies and procedures (such as BYOD policies and procedures) and managing risks of outsourcing.

3. Keep up, flag issues: Innovation

Innovative technologies, such as connected and smart products, artificial intelligence, robotics, biometrics and the metaverse, have changed the way we live. We see this in numerous innovative technologies rolled out in response to the COVID-19 pandemic, such as cloud-hosted collaboration and video-conferencing platforms and apps to process vaccination passports. With the introduction of 5G, even more innovative technology will be possible and novel privacy risks will be inevitable.

Whether an organization is innovating or using these innovations, there are privacy mitigation steps it can take to guide the business when developing or procuring innovative technology.

Data minimization

Apply the data minimization principle to innovative technology. If the personal information is not needed, do not collect it (even if the technology can collect it).

Consider eliminating the use of personal information by artificial intelligence technologies.

If the organization has determined that it is reasonable to check vaccination information of employees, do not store the actual vaccination information, but rather only capture whether or not the employees have complied with the organization’s internal vaccination policy.

Ethics perspective

Incorporate an ethics perspective when creating or procuring innovative technology that collects personal information.

Consider if there is a potential for biased or discriminatory impact or application of the data that has been collected, if there is any potential for inadvertent surveillance or if there are safety and other societal implications (e.g., the innovative technology being perceived as taking the jobs of the organization’s workforce).

Remote work

Educate employees about the risks of remote work and organizational policies and procedures with respect to remote work (such as preferred video-conferencing platforms and when to log onto a VPN).

Privacy by design and privacy impact assessment

When creating innovative technology, guide the organization through privacy by design principles (such as consent, safeguards and accountability).

Consider having a privacy impact assessment template.

4. Get it right: Outsourcing

Outsourcing arrangements that involve the processing of personal information are increasingly common and important for many organizations. Outsourcing can provide significant benefits, but it can also present potentially significant business and legal compliance risks.

Organizations are accountable and must adequately safeguard, personal information that is transferred to a third party service provider. While organizations often seek to protect personal information transferred to a service provider through contractual means, Canadian privacy commissioners have noted that merely imposing a contractual requirement to comply with Canadian privacy laws is insufficient. See PIPEDA Findings #2020-001.

Rather, the organization should take steps throughout the entire relationship, including during due diligence, contract negotiation and after contract implementation, to get personal information protection right with their service provider.

Due diligence

Assess the potential risks and benefits of outsourcing.

Consider appropriateness of using a proposed service provider for the required service and understand the purpose for engagement.

Assess the types of personal information transferred to the service provider.

Understand the service provider’s privacy and security practices. Review the service provider’s privacy policy and terms of service and confirm that the service provider has implemented appropriate policies and procedures.

Conduct due diligence on the proposed service provider. Consider experience and ability to provide the service, business reputation, financial strength and any past issues, complaints or litigation.

Identify any jurisdictional issues based on where the service provider is located.

Contract

Use the contract to protect the organization and include (as appropriate) provisions that address the protection of personal information, permitted and prohibited uses of personal information, the return or destruction of personal information at the termination of the contract, a requirement of the service provider to promptly notify the organization of any breach or attempted breach of confidentiality obligations, audit rights (i.e., the right for the organization to request documents and to carry out audits to verify the service provider’s compliance with its contractual obligations) and other key issues (e.g., subcontractors, organizational control, insurance, indemnities and exclusions from limitation of liability clauses).

Prepare a template contract or set of clauses that address the processing of personal information. If the organization cannot control the paper, use internal policy (minimum standards) or regulatory guidance as leverage.

Ongoing monitoring

Implement policies and procedures for regular, ongoing monitoring of the service provider.

Review any terms and conditions that have changed.

Assess material changes to the service provider relationship.

Other practical considerations

Review and update the organization’s privacy policy to reflect the use of service providers.

Limit service provider access to personal information.

Implement data sharing procedures for providing personal information to service providers.

Consider if additional consent is required with respect to outsourcing.

Implement and regularly update the organization’s incident management framework.

Monitor developments on Canadian personal information protection laws, including those on outsourcing to service providers.

5. Don’t forget: Privacy risks and M&A

Canada has seen a recent peak in M&A deal activity. Privacy and cyber risks that go undiscovered in the M&A transaction process can result in potentially significant costs and liabilities post-closing. Further, the M&A transaction process itself can give rise to privacy and cyber risks. See BLG’s previous article Managing cyber risks in M&A transactions.

Organizations should take steps throughout the M&A transaction process to identify potential and existing privacy and cyber risks and to avoid creating new ones.

Due diligence

Engage in privacy and cyber-specific due diligence of the target.

Understand the target’s collection and use of personal information, including the data flow through the target’s organization.

Understand the privacy laws that apply to the target’s personal information handling practices and consider whether the target has complied with specific obligations under those privacy laws.

Purchase agreement

Ensure the purchase agreement addresses privacy and cyber risks identified in due diligence, including appropriate representations and warranties.

Include indemnities, holdbacks and insurance obligations that address privacy and cyber risks (where appropriate).

Ensure the purchase agreement contains appropriate provisions that comply with applicable privacy laws to permit the sharing of personal information post-closing.

Post-closing

Implement policies and procedures to transfer personal information to the purchaser post-closing.

Notify individuals of the disclosure of their personal information during the M&A transaction process as required by applicable privacy laws.

Remediate the privacy and cyber risks identified in due diligence.

By following the top tips and checklist outlined in this article, organizations will be well positioned to manage privacy risks in 2022. BLG has a team of lawyers with expertise in cybersecurity, privacy and data protection and we regularly advise clients on these matters. For assistance, please reach out to one of the key contacts below.

Par : Sepideh Alavi, Katherine M. Stanger, Danielle Windt

Services : Droit des sociétés et droit commercial, Fusions et acquisitions, Franchisage et distribution, Cybersécurité, respect de la vie privée et protection des renseignements personnels, Vente en ligne et commerce électronique, Commerce de détail et tourisme d’accueil

Key Contacts

Katherine M. Stanger

Avocate principale

Location

Toronto

Email

[email protected]

Phone

416.367.7294

Voir la biographie
Partager
Katherine Stanger

Avocate principale

Services
- Droit des sociétés et droit commercial
- Fusions et acquisitions
- Sociétés fermées
- Technologies de l’information
- Cybersécurité, respect de la vie privée et protection des renseignements personnels
Voir la biographie
Danielle Windt

Avocate

Location

Vancouver

Email

[email protected]

Phone

604.640.4120

Voir la biographie
Partager
Danielle Windt

Avocate

Services
- Droit des sociétés et droit commercial
- Fusions et acquisitions
- Contrats commerciaux
- Sociétés fermées
- Cybersécurité, respect de la vie privée et protection des renseignements personnels
Voir la biographie

Communiquer avec nous
Centre des médias
S’abonner
Nos anciennes et anciens

Accessibilité
LCAP
Avis juridique
Politique de confidentialité
Témoins

Services

Nos gens

Perspectives

Nouvelles

Services

Nos gens

Perspectives

Nouvelles

2022 Privacy risk management – Top tips for organizations

1. Respond, don’t react: Accountability and governance

2. More than just IT: Incident response

3. Keep up, flag issues: Innovation

4. Get it right: Outsourcing

5. Don’t forget: Privacy risks and M&A

Partager

Facebook

LinkedIn

Courriel

Key Contacts

Katherine M. Stanger

Avocate principale

Partager

Facebook

LinkedIn

Courriel

Katherine Stanger

Avocate principale

Services

Danielle Windt

Avocate

Partager

Facebook

LinkedIn

Courriel

Danielle Windt

Avocate

Services