Privacy of personal customer data

In Quebec, the collection and use of customer personal data by a third party is governed by the Personal Information Protection and Electronic Documents Act (LPRPDE) and federally by the Personal Information Protection and Electronic Documents Act (PIPEDA) and more recently the Digital Electronic Act.


We can audit and help you implement an action plan to ensure the protection of personal data in terms of the following criteria:


  • Accountability

Every organization is responsible for the personal information it collects and must designate a person responsible for protecting its customers' data within the framework of the law.


  • Identifying purposes

The organization must clearly identify the purposes for which personal information is collected, either before or at time of collection.


  • Customer consent

The knowledge and consent of individuals are required when an organization collects, uses, or discloses personal information, and it must be in such a way that the individual clearly understands.


  • Limiting collection

the personal information an organization collects should only be limited to that which is necessary for the purposes identified.


  • Limiting Use, Disclosure and Retention

The organization shall limit the ways it uses, discloses and retains personal information. This means that an organization should not use or disclose personal information for purposes other than those which it has identified purposes for and received consent for. The organization should only retain personal information for as long as is necessary to fulfill its purposes.


  • Accuracy

The organization should ensure that the personal information it collects should be accurate, complete, and up-to-date for the purposes for which it is being used.


  • Security safeguards

The organization should protect personal information with security safeguards that are appropriate for the sensitivity of personal information held.


  • Openness

The organization shall make its policies and procedures about how it manages personal information readily available.


  • Individual access

Upon an individual’s request, an organization shall make known to the individual the existence, use, and disclosure of personal information and give access to it.


  • Challenging compliance

Individuals shall be able to challenge an organization’s compliance on any of the privacy principles of PIPEDA.


  • Right to be forgotten

The individual is entitled to exercice the right to erasure and the organization has one month to comply.


  • Incidents records

The organization shall keep a log of all data breaches and remediation plans.


  • Privacy by design

The organization should put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights; In essence the organization should back in data protection into the processing activities and business practices, from the design stage right through the lifecycle.


  • Data breach declaration

All organisations shall report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.


  • Impact analysis

A Data Protection Impact Assessment (DPIA) should be performed to identify and minimise the data protection risks of a project.


  • Third-party security

The organization should inquire about its third-parties’ security when it can impact customer data.


  • Chief Data Officer

The organization should name a Chief Data Officer in charge of personal data protection.


  • Awareness

Employees should be trained and aware of personal data protection requirements.


So, if you're worried that your customers' data will end up on the Dark Web, it's time to put in place an action plan.


We can assist you in each of the action lines, identify personal data protection measures, audit your suppliers, build a data governance policy, structure responsibilities, provide you with indicators to measure progress.


Contact us