To get back to business amid the pandemic, organizations everywhere underwent a massive digital transformation, which allowed vital business operations to continue but also introduced new risks.
When organizations treat privacy concerns as secondary issues (especially when change is happening at a rapid speed), mistakes happen. And unfortunately, privacy mistakes are not particularly forgiving, often resulting in regulatory scrutiny, fines, lawsuits and reputational damage.
Why risk an error? Take the following steps to mitigate privacy risks now and into the future.
Complete a Privacy Impact Assessment
When it comes to the privacy of sensitive data, the laws and jurisdictions involved are numerous, the rules are confusing, and the regulatory consequences are costly. Do your information systems, programs/services, and policies and practices meet basic privacy requirements? The answer to this question will be clear after conducting a Privacy Impact Assessment (PIA).
While a PIA is required by organizations in Alberta that are subject to the Health Information Act (HIA), this diligence exercise is voluntary for public bodies and private sector organizations.
When included as part of the planning or early developmental stages of a new initiative or system, a PIA can be an extremely useful and proactive tool for any organization to:
- Identify and mitigate compliance risk
- Build privacy into system design
- Establish ongoing accountability
The Office of the Information and Privacy Commissioner (OIPC) of Alberta reviews PIAs submitted under HIA. To give you an idea of how immediately relevant these PIA reviews can be to Albertans, OIPC recently reviewed and provided recommendations for a PIA about the ABTraceTogether contact-tracing app submitted by Alberta Health. This provides an excellent example of the PIA process from start to finish.
Mitigate Vendor Privacy Risks
Working with a third-party vendor is inherently risky, and you don’t have to look far to find examples. As recently as May 2020, Blackbaud, a cloud-based fundraising and CRM provider, reported a ransomware incident that impacted more than 200 higher education institutions and non-profits internationally.
What we learn from incidents such as these is that while data is in the hands of the third-party vendors, organizations must take all reasonable steps to protect information from unauthorized access, use and disclosure.
It’s crucial that your third-party vendors:
- Demonstrate privacy and data protection awareness
- Complete privacy and security assessments
- Comply with regulatory and internal privacy and security governance that align with your business’s data policies
- Implement and maintain compliant privacy terms in contracts, including information management agreements
Strive for Clarity in Your Privacy Policies
Privacy policies are required by legislation. Review and update your privacy policies, ensuring that your privacy and access processes are clear, effective and transparent, taking into consideration any new workflows or technologies you’ve introduced over the past few months.
Remember, thoroughness doesn’t have to come at the expense of clarity for readers. Your goal and priority should be that all staff, clients, and customers can clearly understand your policies and trust your organization more because of the work you’ve done to protect the information you manage.
Designate a Privacy Officer
If your business involves collecting, using and disclosing personal information, a privacy officer will lead your organization in meeting its legislated requirements and mitigating risks.
What does a privacy officer do?
- Identifies privacy compliance issues
- Ensures privacy policies and procedures are developed, implemented and maintained
- Ensures all team members are aware of their responsibilities and duties
- Provides guidance and explanation of related legislation for the organization
- Responds to access requests and requests for corrections to personal information
- Ensures personal information in the custody or control of the organization is protected
- Represents the organization in dealings with third parties and the Office of the Information and Privacy Commissioner
Why risk a mistake? Talk to Cenera’s Privacy and Information Management team today or register for an upcoming Privacy Training event near you!
Never miss an update, click here to subscribe to our monthly newsletter.