What PIPEDA means for senior marketers

By Justin Dallaire
October 30, 2018

Ann Cavoukian, former Information and Privacy Commissioner of Ontario and expert-in-residence at Ryerson University’s Privacy by Design Centre of Excellence.

Changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are set to come into effect Nov. 1. Those changes include requiring organizations to inform consumers when data breaches occur with a “real risk of significant harm.”

Strategy spoke to Ann Cavoukian, former Information and Privacy Commissioner of Ontario, about what the changes mean for senior marketers. Cavoukian is the creator of the Privacy by Design framework, which helped shape the European Union’s General Data Protection Regulation (GDPR), and she serves as an expert-in-residence at Ryerson University’s Privacy by Design Centre of Excellence.

What do the changes to PIPEDA mean for marketers who have oversight of customer data?

“They will all be required, as will everyone else, to notify their customers if a data breach takes place involving the personal data of individuals. I’m glad there’s now this mandatory breach notification requirement, but a lot of discretion will need to be exercised, because they’re saying it has to involve real risk, so [marketers] will have to decide if there’s real risk or not.”

How difficult is it to assess risk when dealing with data breaches?

“I would say that virtually all data breaches involve real risk, because you have no real means of assessing it. When I was commissioner, we would find out about these cases of data breaches, sometimes the bad guys would lay low for a year or so. They’ve got the data, they’re sitting on it until everything quiets down and then boom, they start using the data. So I think it’s very difficult to assess the risk. [But] all information at some point or another can involve significant harm and should be considered sensitive.”

Given the lack the clarity around some of the regulations, how should marketers approach them to ensure compliance?

“Err on the side of caution. If it were me, I would say notify everyone involved whatever the data breach is. That’s an extreme case. I know they’re not going to do that. But that’s the safest way. If they don’t want to alert their customers or get them nervous, my caution to them is if this thing explodes, and there is real risk, then you are going to have to pay a much bigger price. Because these days it’s not just lawsuits, it’s class-action lawsuits that arise in the face of data breaches. Think of Equifax. Think of Target. Act on the side of reporting the data breach. You’re far more protected by doing that.”

A recent survey showed that 63% of Canadian companies have no formal plan for data protection. Given the data breaches that have occurred over the last year, why do you think companies have been slow to adopt plans?

“It’s out of folly. Because we see data breaches increase on a daily basis. Companies are just now beginning to wake up to this. I ask companies, ‘Do you have a data map?’ And they look at me questioningly. Usually the first instance – what I call the primary purpose of the data collection  usually that’s sound. Consent has been obtained for that particular purpose and that purpose alone. But where does the data flow after that within your organization? You need to have a data map so that you can navigate all of this, and then make sure that you have installed additional consents where it’s used for uses that are unrelated to the primary purpose of data collection.”

The GDPR seems to have gotten more attention in Canada than PIPEDA. Why is that and do you see parallels between the two?

“The GDPR was such a game-changer. It elevated concerns for privacy. It substantiated the need for personal control on the part of data subjects. And as mentioned, the Privacy by Design framework is included in the GDPR for the first time ever.

[That framework] is all about pro-actively [embedding] the much-needed protections into the design of the operations, bake it get into the code, bake it into the data architecture, into your policies, so that you can prevent privacy [issues] from arising. It’s much like a medical model of prevention, as opposed to the existing system of regulatory compliance after the fact, after a breach has happened. You complain to the commissioner, he investigates and issues a ruling that will hopefully restore some faith. But often it’s too little, too late.”

Any final thoughts on how marketers can approach privacy and data?

“When I get invited to speak to marketing organizations, I always start by saying, ‘I’m probably the least popular person here.’ Fortunately, they laugh. But I always tell them, privacy isn’t anti-marketing, it’s pro-choice. As long as you embed the ability for individuals to say yes or no to what you’re offering. You might think it will hold you back, and it may take an additional step, but then you build trust, which is so lacking right now. Everyone’s looking at marketers as being the bad guys, and they’re not. You just have to engage your customers, your data subjects, and you need to get them involved. When they’re engaged, then you’re more likely to get their consent anyway. It’s not privacy versus marketing. It’s privacy and marketing.”