If you do business with customers in Canada, an important new privacy law has taken effect as of November 2018: The Personal Information Protection and Electronic Documents Act (PIPEDA). People are already starting to refer to PIPEDA as Canada’s version of GDPR, the sweeping privacy regulations implemented in May 2018 by the European Union.
There are some common denominators between PIPEDA and GDPR. Both mandate acquiring explicit customer permission for the use of personal information, as well as disclosure of how this information will be used. Both also require breach notification in cases where personal information has been compromised: in Canada’s case, notification must be made to that country’s Privacy Commissioner a well as to affected parties. Other common threads include requirements to maintain accurate and secure data, giving individuals access to their own data, and the need for a formal compliance officer.
Getting started with PIPEDA
The Canadian government has published a downloadable guide to help organizations understand and become compliant with the new PIPEDA law, entitled Privacy Toolkit: A Guide for Businesses And Organizations. It provides an overview of the law and its principles, together with descriptions of its complaint handling procedures and audit provisions.
PIPEDA compliance revolves around ten principles that businesses must follow:
1. Accountability. Comply with these principles, appoint an individual responsible for compliance, protect information handled by you and third parties, and develop policies and practices for personal information.
2. Identifying purposes. Document and inform individuals why information is being collected, before or at the time it is collected.
3. Valid, informed consent. Specify what information is being collected, used or disclosed along with its purpose, and obtain explicit consent – before collection, and again if a new use of their personal information is identified.
4. Limiting collection. Do not collect personal information indiscriminately, or deceive or mislead individuals about the reasons for collecting personal information.
5. Limiting use, disclosure, and retention. Use or disclose personal information only for the purpose for which it was collected or consented to, keep personal information only as long as necessary, and have policies for the retention and destruction of information that is no longer required.
6. Accuracy. Minimize the possibility of using incorrect information when making a decision about a person or when disclosing information to third parties.
7. Safeguards. Protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
8. Openness. Inform customers, clients and employees that you have policies and practices for the management of personal information, and make them understandable and easily available.
9. Individual access. Provide individuals with access to their personal information on file with you, along with how and to whom it has been disclosed, as well as the ability to correct or amend this information.
10. Challenging compliance. Develop simple and easily accessible complaint procedures, inform complainants of their avenues of recourse, investigate all complaints received, and take appropriate measures to correct information handling practices and policies.
Some important distinctions
While the goals of PIPEDA are very similar to those of other privacy regulations such as GDPR – and many of the same compliance strategies will apply to both markets – there are some key differences with Canada’s new regulations. Here are two of the more important ones:
A focus on mediation. Compared with other global privacy regulations, which often carry stiff financial penalties, PIPEDA is designed to enforce privacy laws through mediation where possible. However, this does not mean that the law is without teeth: both complainants and Canada’s Privacy Commissioner can apply for a Federal Court hearing and potential damage awards. In addition, specific violations such as intentional destruction of requested personal information or whistleblower retaliation may be prosecuted as offenses.
Limits on scope for employee data. Unlike GDPR, the PIPEDA law’s application to employee data only applies to federally regulated entities such as banks, airlines and shipping companies (although some provinces have stricter provincial privacy laws). For consumer data, however, PIPEDA applies to personal data from all Canadians.
Knowing the location of customers is key to PIPEDA compliance
Contact data quality is no longer an option when dealing with the Canadian market. Service Objects has been at the forefront of helping firms with their compliance efforts for data privacy regulations, including flagging the geographic location of customers and prospects, which is key to getting started with any compliance effort.
Contact us for more information about how our data quality solutions can help your business.