With International Data Privacy Day having just passed and the amendments to Québec’s Act respecting the protection of personal information in the private sector (Law 25) having been in effect for several months, we thought it would be a great opportunity to provide you with a cheat sheet of seven items to help you write your data privacy and security to-do list for 2024.
1. Plan for upcoming changes
Privacy Impact Assessment (PIA). Conduct a PIA when embarking on new projects that involve the acquisition, development, or overhaul of information or electronic systems that deal with the collection, use, communication, storage or destruction of personal information. Ensure you conduct PIAs for new initiatives and also revisit and update any previously completed assessments that may require amendments to align with your evolving practices.
Security of biometric data. If you’re thinking about processing biometric data, verify that it passes the reasonability test set out in Canadian privacy laws and, if yes, develop a comprehensive plan to guarantee sufficient security measures, obtain informed consent, and adhere to your obligations under Québec’s Act to establish a legal framework for information technology, especially when identifying individuals or creating a biometric database.
2. Ask if you still really need it
Follow your retention calendar. Start the new year by consulting your retention calendar and verifying that all information scheduled for destruction has been appropriately disposed of. Consider documenting this process with retention certifications, as some organizations find it useful to maintain a record of compliance.
Review your anonymization practices. Be aware that the Québec government recently published a draft regulation on the topic of anonymization, and the final regulation is anticipated to be released in the near future.
3. Prepare for employees joining or leaving your organization
Review your onboarding process. Evaluate your onboarding process to ensure that necessary background checks are performed in compliance with Canadian privacy laws and that employees receive adequate privacy training that reflects the requirements and risk mitigation practices mandated by Canadian privacy laws.
Update your accountability framework. Since the beginning of the year can be synonymous with peak turnover season, ensure that your internal accountability framework when appointing employees to data protection roles or duties can withstand changes in personnel and remains compliant with Canadian privacy laws.
4. Deal properly with commercial transactions
Prepare a written agreement. Whether it involves a merger, acquisition or any other commercial transaction, remember that a confidentiality and data protection agreement must be established with the other party beforehand. This agreement should explicitly outline the requirements of Canadian privacy laws to ensure the proper handling and protection of information during the transaction, including during the due diligence process.
Notify the concerned individuals. If you are a party receiving personal information in the context of a commercial transaction and intend to continue using this information after the closing of the transaction, notify the individuals concerned that you now possess their personal information and comply with your other obligations under Canadian privacy laws.
5. Put together an AI governance framework
Put together an AI framework. AI gained significant prominence in 2023 and the trend continues into 2024. To ensure that your organization is adequately equipped to address the associated risks with AI, consider establishing an AI governance framework, including a generative AI policy to govern the use of generative AI tools by employees. For more information on this topic, refer to Decoding Tomorrow: BLG Primer on AI Governance.
6. Record what’s going on
Take care of your consent requests. The Québec privacy regulator, the Commission d’accès à l’information, published guidelines on the validity of consent, setting out best practices on this topic. In light of this, consult the guidelines (only published in French but translated by BLG and explained during our webinar) and review your consent requests. Implement a consent registry to record your compliance with consent requirements under Canadian privacy laws.
Leave traces. To minimize and manage the risks associated with potential complaints and regulatory oversight, establish documentation and recording procedures for your organization’s data processing activities. Specifically, focus on thorough documentation of consent, security incidents and the management of individual privacy rights.
7. Manage your contracts
New contracts. When negotiating new contracts that involve the sharing of personal information, ensure that the agreement incorporates the necessary and preferred provisions for protecting personal information and addresses identified risks. Even better, take a proactive approach and consider attaching your own data protection schedule to the agreement.
Contracts coming to term. As your contracts with service providers approach their term and will be renewed, assess whether adequate data protection safeguards are in place. To avoid gaps in your data protection contractual obligations, create a database to manage contracts with service providers who handle personal information.
Terminated contracts. If you decide not to renew an agreement, remember that your service provider may have obligations tied to termination. These obligations may include returning any personal or confidential information shared during the contract term or confirming its secure destruction.
With this lucky 7 checklist in hand, you’ll have an excellent way to organize and prioritize your data privacy and security activities for the year. Don’t hesitate to reach out to our team if you need any practical advice on how to tackle any of the steps listed above.