Privacy For Canadian Tech Startups
Nothing in this article is intended to be considered legal advice. All contents and opinions belong exclusively to the author and do not reflect the opinions of her employer(s).
In recent years the privacy landscape has had an interesting evolution. The European privacy model has brought new challenges to the tech industry, some of those challenges may be hard to overcome for tech startups but hey, first things first...tech startups need to ensure that they are compliant with Canadian privacy legislation, relevant regulations and applicable guides.
Defining what you need
Below are some situations that you could find yourself in when figuring out how to deal with privacy matters:
- You have an external counsel,
- Your company has hired a consultant to help you figure out what to do,
- Your company has an internal legal professional (lawyer or licensed paralegal); or
- You have no budget for a legal professional and, for the time being, will have to figure it out with the help of your current team;
If you have an experienced external counsel, it is likely that you will get solid and sound but generic legal advice.
If you have hired an experienced consultant, it is likely that you will get solid input, a bit more targeted towards your company, but it’s also likely that you will try to hide certain information that you feel simply makes your company look bad (this tends to happen even if we try not to).
If you have an internal legal professional to assist you with handling of privacy, you may be in luck as it is more probable that this person will be able to invest more time examining your business processes, talking to the right internal stakeholders, documenting findings, and tailoring a privacy program suitable for the actual needs of your business.
Finally, if you can’t afford a legal professional or privacy consultant, not a problem, you can always use a do-it-yourself approach, at least you can be honest with yourself in regards to the existing gaps within the organization and do your best to take action; if this is your case, IAPP runs a series of training certifications that could be very useful and that are certainly much more affordable than hiring an experienced professional.
Whatever the model you have chosen to handle privacy, below are some basic things that must be done:
- Identify relevant internal and external stakeholders;
- Discuss how privacy issues could have an impact on your business;
- Make sure you understand the definition of personal information and how it may vary from province to province (most provinces have a number of privacy acts: for public sector, private sector, and health information and federally we also have PIPEDA and the Privacy Act. Usually each act has a definition of personal information);
- Ensure that you know and have documented what legislation and regulations are applicable to your line of business. People tend to assume that PIPEDA is the only privacy legislation they are supposed to comply with, which may be a false assumption based on the sector/industry you work on;
- Identify or map the personal information that your company holds (not only customer information but also your company’s internal information) and determine where it comes from and where are you storing it;
- Designate a privacy committee (even if it’s integrated by two people), identify work to be done and divide the tasks;
- Talk to your team about your plan for implementing these changes:
- If your company has project managers, they should be able to handle communication with designers and developers; otherwise, simply approach them yourself, give them reasons as to why making changes (which usually are simple) to current internal practices/business processes is important for compliance purposes;
- Privacy is not only a security item, many of your legal/regulatory obligations need to be handled via contract provisions, it’s very important that you identify what are the obligations of your service providers, what information they have access to, where they store data, how are they processing that data, etc.
- Having done the above, engage the team in creating a privacy framework that is achievable, not just a template but one that your tech team feels like they can implement. Make sure your privacy framework:
- Includes a clear strategy,
- Defines governance (who can make decisions and how),
- Indicates who will act as your data protection officer,
- Requires that privacy assessments are a common practice,
- Requires that your privacy, cookie, and contract policies are in place,
- Links to other relevant policies (data classification, data retention, etc.),
- Requires consent to be requested when needed and to allow users to opt-out,
- Requires training to be provided to your employees.
Compliance is a multi-step process. If you have a basic idea of how to get there, it will be easier for your company to implement it.