Running a small business means not only following the tax policies and guidelines, but also abiding by Canada’s data privacy laws. That’s becoming more and more important for businesses now as any business today collects, stores, and shares clients’ digital information.
As a result, consumers have become increasingly concerned with how the data is being used. As a result, the government has placed some safeguards to ensure the privacy of consumers.
What Data Privacy Laws Should Small Businesses Know?
These laws are important to know as awareness of them can impact how a business even operates on a daily basis. The most important regulation that a small business should be aware of is the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law that outlines rules for how personal information is gathered through a business’s commercial activity.
These rules apply to federally regulated Canadian business excluding the provinces or territories which have their own privacy laws. At the time of this article’s publishing, this applies to British Columbia, Alberta, and Quebec.
Keep in mind that PIPEDA could still apply to businesses in those areas if any personal information crosses over jurisdiction.
Beyond this, there could be local legislation on data privacy as well. For example, Ontario has the Freedom of Information and Protection of Privacy Act. This allows individuals the right to request access to information that’s in custody of public bodies. Ontario also has the Municipal Freedom of Information and Protection of Privacy Act that protects consumers information on government records.
The final area to check is if there are any sector-specific privacy laws. Depending on the company industry, businesses may be subject to these laws. For example, banks are subject to the Bank Act that states how federally regulated financial institutions should be managing and disclosing personal financial information.
What Does Privacy Laws Mean For Small Businesses?
To put it bluntly: Canada takes data privacy seriously and violating any legislation results in hefty fines, litigations, reputational damage, or permanent business closure if it’s that bad. All of that can be avoided if small businesses do the following.
Have A Solid Privacy Policy
Privacy policies are policies that appear on every webpage and for good reason. These clearly outline to users the following:
- What information the business is collecting,
- How it’s being collected,
- What the purpose of it is,
- How it’s going to be used,
- And should be easy to find. On a web page, businesses should have a dedicated tab outlining it and/or in the footer of a web page.
A lot of privacy policies can be generated online, or businesses can copy a privacy policy from any other website related to their industry (with some minor edits). Alternatively, business owners can refer to a guide from the Office of the Privacy Commissioner, to gain more clarity on the responsibilities under PIPEDA.
Minimize Employee-Associated Risks
Even if employees make a mistake and expose consumer information by accident, PIPEDA still sees that as a violation. As a result, small businesses should be paying attention to data privacy risks posed by employees. What this looks like in practice is:
- Implementing security measures that will limit employee access to client information.
- Training and retraining staff on how to properly handle any data.
- Taking disciplinary actions in the event of a failure to follow or comply with privacy procedures.
Have A Privacy Officer
Every business that’s subject to PIPEDA must designate a Privacy Officer who will be accountable for the compliance of a business’s data privacy. The identity of this individual should be provided when requested along with contact information be posted on the company’s site. Furthermore, customer service representatives should be aware of the Privacy Officer’s information and how to direct customers to the individual.
Avoid Asking for Social Insurance Numbers (SINs)
Consumers know generally that they should never provide their SIN to anyone beyond government officials or if it’s required by law (i.e. customers are requesting credit reports or providing this information to a federally regulated bank). Instead, if businesses require some proof of identification, a driver’s license or a government-issued identification card is enough. Furthermore, any forms a business creates should explicitly state customers aren’t required to disclose their SINs.
Disclose Any Data Breaches
Even with preventative measures, data breaches will still happen. Cybercriminals are highly sophisticated and, in some cases, some attempts will be successful. This doesn’t mean that a business has violated any laws though. According to the Breach of Security Standards Regulations, any business that has a data breach involving personal information must performing the following:
- Determine whether the breach presents a “real risk of significant harm” in any way to any person. What “real risk of significant harm” means is harm that inflicts the body, humiliates the person, causes reputational damage, financial loss, loss of employment or business, loss of property, identity theft, amongst others.
- If the data breach does provide that to anyone, the business must notify the affected parties as soon as possible.
- Report the breach to the Privacy Commission as soon as possible.
- Then notify any third party that could be affected, even if they’re not directly involved. For example, if the breach exposed a person’s credit card information, the business should notify the credit card company immediately.
- Record all information about the data breach itself, including the steps the company took to mitigate the effects and make these records available to the Privacy Commissioner.
Mtek Digital Managed Business Service
Mtek Digital provides help with virtually any business technology requirement. From IT services to Web and Video Marketing, we’re capable of servicing the tech industry throughout Canada. Contact us today.