In Quebec, the collection and use of customer personal data by a third party is governed by the Personal Information Protection and Electronic Documents Act (LPRPDE) and federally by the Personal Information Protection and Electronic Documents Act (PIPEDA) and more recently the Digital Electronic Act.
We can audit and help you implement an action plan to ensure the protection of personal data in terms of the following criteria:
Every organization is responsible for the personal information it collects and must designate a person responsible for protecting its customers' data within the framework of the law.
The organization must clearly identify the purposes for which personal information is collected, either before or at time of collection.
The knowledge and consent of individuals are required when an organization collects, uses, or discloses personal information, and it must be in such a way that the individual clearly understands.
the personal information an organization collects should only be limited to that which is necessary for the purposes identified.
Limiting Use, Disclosure and Retention
The organization shall limit the ways it uses, discloses and retains personal information. This means that an organization should not use or disclose personal information for purposes other than those which it has identified purposes for and received consent for. The organization should only retain personal information for as long as is necessary to fulfill its purposes.
The organization should ensure that the personal information it collects should be accurate, complete, and up-to-date for the purposes for which it is being used.
The organization should protect personal information with security safeguards that are appropriate for the sensitivity of personal information held.
The organization shall make its policies and procedures about how it manages personal information readily available.
Upon an individual’s request, an organization shall make known to the individual the existence, use, and disclosure of personal information and give access to it.
Individuals shall be able to challenge an organization’s compliance on any of the privacy principles of PIPEDA.
Right to be forgotten
The individual is entitled to exercice the right to erasure and the organization has one month to comply.
The organization shall keep a log of all data breaches and remediation plans.
Privacy by design
The organization should put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights; In essence the organization should back in data protection into the processing activities and business practices, from the design stage right through the lifecycle.
Data breach declaration
All organisations shall report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
A Data Protection Impact Assessment (DPIA) should be performed to identify and minimise the data protection risks of a project.
The organization should inquire about its third-parties’ security when it can impact customer data.
Chief Data Officer
The organization should name a Chief Data Officer in charge of personal data protection.
Employees should be trained and aware of personal data protection requirements.
So, if you're worried that your customers' data will end up on the Dark Web, it's time to put in place an action plan.
We can assist you in each of the action lines, identify personal data protection measures, audit your suppliers, build a data governance policy, structure responsibilities, provide you with indicators to measure progress.