Executive Summaries Aug 27, 2019

Is Your Company Implementing a New Technology System? Remember to Protect Your Data

Companies are constantly evolving, whether it is to increase productivity, overcome labour shortages or simply keep up with industry leaders. Implementing new technologies is one way to reach these goals.

Today, technologies that do not use information technology are rare, and information technology necessarily means data processing.

In this short article, we will only cover data relating to an identified or identifiable individual, which we will call personal information, the term used by Quebec and Canadian privacy laws.

Personal Privacy at the Core of All New Technology

In order to avoid penalties, which in some situations can amount to up to €2 million or 4% of worldwide revenue, or to avoid a costly class action, companies should consider how personal information will be handled from the beginning of the system's implementation. This is the principle of "Privacy by Design".

By applying this principle, companies ensure that privacy compliance is a central concern when implementing new technology. Moreover, this principle should be applied as soon as the time comes to select the new technology to be used.

Choosing a technology that facilitates the application of this principle will save time and money when launching the system into production. It will be more costly for the company to comply with privacy law requirements after a new system has been fully deployed without having considered the protection of personal data beforehand. 

Although this principle is not established as a formal obligation in Quebec and Canadian legislation as it is in Europe, we believe that Quebec and Canada will follow suit in the upcoming reforms to our privacy laws.

The 7 Foundational Principles of Personal Privacy Protection at the Design Stage

The concept of Privacy by Design developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, puts forward seven foundational principles:

  • Proactive not Reactive; Preventive not Remedial
  • Privacy as the Default Setting
  • Privacy Embedded into Design
  • Full Functionality – Positive-Sum, not Zero-Sum
  • End-to-End Security – Full Lifecycle Protection
  • Visibility and Transparency – Keep it Open
  • Respect for User Privacy – Keep it User-Centric

Without going into more detail on the principles listed above, upon configuring the implementation of a new system, the collection of personal information should be limited to the purposes necessary for the business, which are disclosed to the affected persons. By default, personal information should only be made accessible to a limited number of people within the company on a "need-to-know" basis. 

Moreover, the company should at all times know the type or nature of personal information collected, its location in its systems, its retention period and to whom it discloses or transfers the personal information it holds and processes in the course of its activities. 

It must be able to easily update or delete this personal information. Therefore, any new system should have functionality that allows the company to comply with these requirements as well as with requests from individuals who would like to exercise their rights with respect to their personal information held by the company. 

Choosing a Cloud or a Physical Server? 

When a new system is installed entirely on the company's own server, control over personal information is easier and less risky than if the same system were implemented on a third-party controlled cloud server. However, in some cases, this third party may have greater financial resources than the company and may be able to acquire state-of-the-art security systems.

In any case, if the new system is hosted and provided by a third party in cloud computing mode, an agreement between the company and the third party is strongly recommended, or even mandatory in some cases, to govern the processing of personal information shared by the company with that third party.

While it is true that technology can increase a company's productivity, care must be taken to implement it properly and to avoid any surprises resulting from poor management of personal information used by this new technology. 

The question is not whether or not your company will be the object of a cyber attack, but when and if it is ready to face it.

Our Technology Law and Privacy Practice Groups can help you implement internal processes for managing personal information as part of the implementation of new technology. Our professionals can also prepare you to act in the event of a cyber attack or simply to respond to requests from individuals from whom you collect personal information.

Stay on the lookout!

Subscribe to our communications and benefit from our market knowledge to identify new business opportunities, learn about innovative best practices and receive the latest developments. Discover our exclusive thought leadership and events.

Subscribe

You would also like

Rencontre au Sommet

Rencontre au Sommet: Turning Economic Challenges into Collective Opportunities

lexpert

27 BCF Professionals Stand Out in the Canadian Legal Lexpert Directory 2025

Canada US flags

Customs Tariff Uncertainty: Impacts on Quebec Businesses

Analyse statistique - tarifs douaniers

Statistical analysis of the impact of U.S. tariffs on Quebec economy

Contrats commerciaux et echanges

Assessing and Mitigating the Impact of New U.S. Tariffs on Your Contractual Relationships

Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

Entrepreneurship forum

Entrepreneurship Forum: Vision 2025

Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Right to Data Portability: Is your Organization Ready?

Tech Forum 360

Tech 360 Forum: Growth and Inflection Points

Prospera: Québec’s Economic Barometer

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year

paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

new-partners-2024

BCF Has Appointed Three New Partners

Who’s Who Legal : 5 BCF Professionals Stand Out

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year

Demystifying Privacy Impact Assessments (PIAs)

The Data Processing Agreement: An Essential Resource to Implement

camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management

forum-privacy-en

Strategic Forum on Enterprise Data Protection

Chambers Canada Ranking: Five of our Lawyers Recognized

Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm

BCF Welcomes Five New Up-and-Coming Lawyers

Prospera – Quebec Economic Barometer

Julien Tricart, Member of the Meritas Sports Law Group

Pride Month: Let’s Create an Inclusive Future

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year

New Privacy Requirements: Is Your Business Compliant?

Every Woman Counts

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties

BCF's More Inclusive Approach: Improved Parental Leave

Shaun E. Finn Appointed to the Superior Court of Québec

How to Ensure a Business Succession?

Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?

Strategic Forum on Market Consolidation and Business Succession

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities

BCF Welcomes Two New Lawyers

What Are the Best Practices for Managing Privacy Incidents?

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy

Jocelyn Poirier, BCF’s Chief Privacy Officer

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch

Seven New Lawyers Join BCF

Adoption of Bill 96: Be Ready

Bill 96 is Passed: How Will It Affect Your Relations with Customers and Suppliers?

Pride Month: The Value of Diversity

BCF, the 3rd Largest Law Firm in Québec

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year

BCF Welcomes Isabelle Métivier as a Real Estate Partner

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms

BCF Welcomes Julien Lefebvre as a Partner in its Business Law Team

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law

Seven New Lawyers Join BCF

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices

A First in Canada: Privacy Class Action Dismissed on the Merits

escalier

BCF Welcomes Seven New Lawyers

Supreme Court of Canada Takes Another Step towards the Guiding Principle of Good Faith in Contract Performance

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships

Economic Recovery Strategic Forum

Adoption of Bill 42: Mandatory Disclosure of Nominee Agreement with Tax Consequences

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions

23 BCF Partners Ranked in the Canadian Legal Lexpert Directory

36 Lawyers of BCF Stand Out with 52 Nominations in the 2021 Edition of Best Lawyers in Canada

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?

Investigation on Tim Hortons’ Application

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?

COVID-19: Solutions to Address this Situation

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications

Tracking the COVID-19 Pandemic with Cellphones

COVID-19: Will the Pandemic Really Have an Impact on Your Contracts?

COVID-19: Contractual and Practical Measures to Be Taken

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy

Terranova Security Partners with Microsoft

COVID-19: When to Invoke Superior Force?

BCF once again ranks as one of Montreal's Top Employers

BCF Names 16 New Partners for Its 25th Anniversary

Joint Controllership or the Risks of using Website Plugins

Sundial and Crescita Sign Exclusive Partnership to Develop Cannabis and Hemp Topicals

Are You a Leader or a Follower?Results of the Innovation Survey

Infrastructure and Major Projects: Dare to Think Big

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law

Strategic Forum on Innovation

Different Legislative Approaches to 5G

Innovating to Survive: Are You a Leader or a Follower?

5G Technology Is Coming: Legal Questions Abound

Legal Issues Surrounding the Industrial Revolution 4.0

Where Does Québec Stand in Terms of Privacy Class Actions?

André Ryan: The Grand Prix Lawyer

Health Canada Is Changing its Cannabis Licensing Process

16 BCF Partners Recognized in the Prestigious Canadian Legal Lexpert Directory

De-fogging the Cloud Act

fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent

Best Practices for Québec Companies Receiving European Data

Anonymization? Think Again

The Deep Web and Dark Web Demystified for Businesses

The GDPR is Coming: How to Get Ready

Protection of Personal Data: New Measures Put in Place by the European Union

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership