The adoption by businesses of well-intended and organization-wide social media strategies, cloud-based storage and associated outsourcing solutions can present data protection and privacy challenges.
Notably, with the rapid emergence and wide use by employees of mobile devices such as smartphones and tablets, the challenges become somewhat intensified – particularly in relation to the preservation of an organization’s sensitive and proprietary information, as well as the personal privacy of its employees and customers.
Adoption by organizations as part of an organization-supported bring your own device (BYOD) or similar program, while an enabler for employees, nevertheless can prove detrimental to an organization if not well considered and properly implemented. Embraced by both the organization and its employees, while well intentioned, the program can have dire consequences to each, or both of them, if organizational confidential and personal information are not safeguarded.
Subject to any imposed corporate restrictions, employees may freely surf the web while also accessing their personal emails, texts, apps and the like. At the same time, the device will have been electronically partitioned by IT so as to enable “controlled and authorized access” to the organization’s often sensitive, commercial information.
Sometimes, and typically depending on the employee’s defined role within the organization, the employee may have access to the personal information (PI) of others. PI may inadvertently include personal information of fellow employees as well as personal information of the respective employees of the organization’s customers and suppliers.
In permitting such access, whether purposeful or inadvertently, there is an absolute requirement of complying with all applicable privacy legislation. By way of example, in Ontario, adherence to the applicable provisions of the Personal Information Privacy and Electronic Documents Act (PIPEDA) is necessarily required.
Hence, an organizational strategy needs to embrace hard policies around the protection of personal information, while also ensuring that the organization’s corporate data is well protected.
It is hoped this checklist will provide some assistance, recognizing that it is strictly a springboard and must be tailored to the particular organization’s data protection and statutory retention obligations.
A note of caution though: the checklist is but a tool and a precursor to a comprehensive review of the organization’s currently established data processing practices. These need to be reviewed in association with the organization’s legal compliance requirements under the relevant day-to-day operational, reporting, and retention laws. Representatives from the organization’s information management and legal department would need to be part of this review and audit.
1. Adoption of a comprehensive personal information and data protection compliance strategy
The organization must proactively ensure that its compliance approach applies throughout the entire organization. This would include all data processing activities that embrace or utilize technologies. In particular, all employee mobile devices that provide remote access to the organization’s standalone, cloud, and third-party managed servers.
2. “Personal information” inventory
Inventory, by way of an audit, the various categories of PI together with their respective database, server, workstation, mobile device, cloud and third-party location(s). Such audit should extend to both hardcopy (specifying physical location) as well as digital format.
3. Appointment of a data protection compliance officer
Internal data compliance is critical to the well-being of the organization and is therefore critical to appoint a person with overall responsibility for enforcing and monitoring the organization’s data protection and compliance strategy.
4. Develop and adopt a data protection policy
Your organization’s overall data protection policy will need to focus on your organisation’s overall data processing activities, both internal and external, as well as any current, in-place, related policies, as for example any existing acceptable use or BYOD policies.
5. Compliance with regulatory registration requirements
Ascertain and comply with all required statutory registration and renewal mandates related to personal information and data/information retention and filing.
6. Notify and provide required information disclosure request to affected individuals where disclosure is mandated
Promptly and with clarity, notify affected individuals should there be any statutory or other lawful requirement to disclose personal information.
7. Third-party agreements with consultants and providers
Contractual compliance obligations with respect to PI and corporate data assets need to be included in all contracts with third-party consultants, data services providers, as well as off-site storage facilities providers and operators.
Ensure that strict protection and compliance requirements are included where the data is going to be located outside of Canada.
8. Security measures to protect personal information
Develop, implement and manage technological and organizational policies protecting against accidental, targeted, or unlawful destruction, alteration, loss, inadvertent or unauthorized access, disclosure or processing of any form of PI.
9. Educate staff about your compliance policies and procedures
As part of the roll-out strategy, staff will need to be educated about the need for privacy policies and procedures and should acknowledge compliance by way of written agreement.
10. Your compliance toolkit – time to update
Data protection and compliance constitute a rigorous and continuous process. While tools and third-party services are available to enable and enhance internal data controls, there is also a need to comply with evolving statutory and legal retention requirements. There is also a need to periodically update your organization’s compliance toolkit.