Personal Data – The responsibility
With the arrival of the European Union's General Data Protection Regulations (GDPRs) in 2018 and the upcoming exit of Quebec's Bill 64, which will modernize some of Quebec's privacy laws, small Quebec organizations question the type of governance to be put in place.
Act respecting the protection of personal information in the private sector and Bill 64
In Quebec, amendments to the Act respecting the protection of personal information in the private sector by Bill 64 will introduce the concept of liability about personal data. Indeed, this law defines that the person exercising the highest authority within the company shall see to ensuring that this Act is implemented and complied with. This responsibility may be delegated to a "Responsible for Protecting the Personal Information" (RPPI) whose title and contact information will be published on the organization's website or any other appropriate means. Bill 64 accurately introduces all an organization's RPPI responsibilities throughout the life cycle of personal data.
It is imperative to mention that Bill 64 introduces the principle of " administrative monetary penalties " to encourage the person who operates a business to take prompt action to remedy the security or confidentiality breach and deter the recurrence of such violations. This novelty follows the trend put in place by the GDPR; these coercive measures have, as a rule, a significant impact on large commercial players and major contractors. These great players often require proof from their business partners that they comply with legal frameworks regarding personal data.
General Data Protection Regulation (GDPR)
In Europe, the GDPR introduces the role of "Data Protection Officer" (DPO). Articles 37 to 39 address this data protection officer's responsibilities (DPO) (art. 37: Designation; art. 38: Position; art. 39: Tasks).
The GDPR goes much further than Bill 64 in terms of the roles and responsibilities of the privacy responsible for protecting personal data. Its function is more incisive and broader, ranging from register maintenance, risk management, privacy monitoring, notification, and assurance that adequate security measures have been put in place. Also, the GDPR defines two critical principles: independence and sufficient knowledge of the DPO.
Besides, the GDPR defines which types of companies must assign a DPO. The two most important types are:
-
Public organizations (e.g. university, hospital, etc.)
-
Private companies that have a considerable amount of personal data (e.g. Facebook)
This means that apart from the two types of organizations mentioned above, there is no obligation to create a DPO role in private organizations.
The reality of private companies in Quebec
All small private businesses in Quebec are already affected by the Act respecting the protection of personal information in the private sector; Bill 64 will increase their responsibility level. Also, these same private companies may be affected by the GDPR for various reasons (e.g. European subsidiaries, Data of European citizens, etc.). How should these small businesses manage the issue of personal data in terms of governance?
Governance - The Board of Directors
For small private companies with a board of directors and have issues concerning personal data, it would be appropriate to involve the board of directors at a high level. Company management could provide an annual summary of activities and incidents related to personal data. Also, during the risk analysis's yearly presentation, it would be necessary to highlight the risks associated with personal data.
Governance - Responsible for Protecting the Personal Information
For companies with personal data issues in both Quebec and Europe, should they name a DPO or an RPPI?
The DPO title has a legal meaning in the GDPR and has specific and broad responsibilities, and it must be independent and have sufficient knowledge. For small businesses in Quebec, the DPO title should not be granted to its privacy manager. The designation of "Responsible for the Protection of Personal Information" (RPPI) will be sufficient and respect Quebec's bill and the GDPR. The latter will be able to put in place enough new processes or controls to comply with the GDPR.
Once the RPPI is appointed, it would be necessary to publish its contact information on its website to define its framework, tasks, and responsibilities.
Governance - Independence of the "Responsible for Protecting the Personal Information" (RPPI)
The notion of independence for the RPPI is becoming an issue for small businesses; the lack of staff makes it difficult not to create conflicts of interest. Although sometimes it is impossible to escape, the information technology manager should not be the RPPI. If the organization has an information security officer, this option can certainly be viable. In any case, the notion of RPPI independence can become a headache for small organizations.
Governance - Responsibilities and involvement of the RPPI
The RPPI that will be appointed will have specific responsibilities by Bill 64, and it will be necessary to put in place a framework that will enable it to carry out its tasks properly. Here are some ideas that could allow the RPPI to perform its functions adequately. The RPPI could:
-
Be an integral part of the security committee.
-
Be involved in the launch of a new product to detect whether personal data is involved in the project.
-
Be involved when the IT team develops new features that have an important impact on personal data.
-
Be involved in the acquisition of new IT solutions.
-
Have a budget to be able to audit all processes and controls related to personal data.
-
Be involved in the development and testing of the security incident response plan.
-
Be involved in the organization's annual risk analysis.
-
Be involved in the annual review of the organization's security policy.
Government authorities do not change laws or regulations affecting personal data for no reason, the stakes are growing, and the public feels vulnerable concerning their private data. Smaller organizations will have even more responsibilities and obligations; they will have to develop practical and straightforward approaches to comply with these new laws or regulations without becoming a burden.