Is Your Company Implementing a New Technology System? Remember to Protect Your Data

Companies are constantly evolving, whether it is to increase productivity, overcome labour shortages or simply keep up with industry leaders. Implementing new technologies is one way to reach these goals.

Today, technologies that do not use information technology are rare, and information technology necessarily means data processing.

In this short article, we will only cover data relating to an identified or identifiable individual, which we will call personal information, the term used by Quebec and Canadian privacy laws.

Personal Privacy at the Core of All New Technology

In order to avoid penalties, which in some situations can amount to up to €2 million or 4% of worldwide revenue, or to avoid a costly class action, companies should consider how personal information will be handled from the beginning of the system's implementation. This is the principle of "Privacy by Design".

By applying this principle, companies ensure that privacy compliance is a central concern when implementing new technology. Moreover, this principle should be applied as soon as the time comes to select the new technology to be used.

Choosing a technology that facilitates the application of this principle will save time and money when launching the system into production. It will be more costly for the company to comply with privacy law requirements after a new system has been fully deployed without having considered the protection of personal data beforehand. 

Although this principle is not established as a formal obligation in Quebec and Canadian legislation as it is in Europe, we believe that Quebec and Canada will follow suit in the upcoming reforms to our privacy laws.

The 7 Foundational Principles of Personal Privacy Protection at the Design Stage

The concept of Privacy by Design developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, puts forward seven foundational principles:

• Proactive not Reactive; Preventive not Remedial
• Privacy as the Default Setting
• Privacy Embedded into Design
• Full Functionality – Positive-Sum, not Zero-Sum
• End-to-End Security – Full Lifecycle Protection
• Visibility and Transparency – Keep it Open
• Respect for User Privacy – Keep it User-Centric

Without going into more detail on the principles listed above, upon configuring the implementation of a new system, the collection of personal information should be limited to the purposes necessary for the business, which are disclosed to the affected persons. By default, personal information should only be made accessible to a limited number of people within the company on a "need-to-know" basis. 

Moreover, the company should at all times know the type or nature of personal information collected, its location in its systems, its retention period and to whom it discloses or transfers the personal information it holds and processes in the course of its activities. 

It must be able to easily update or delete this personal information. Therefore, any new system should have functionality that allows the company to comply with these requirements as well as with requests from individuals who would like to exercise their rights with respect to their personal information held by the company. 

Choosing a Cloud or a Physical Server? 

When a new system is installed entirely on the company's own server, control over personal information is easier and less risky than if the same system were implemented on a third-party controlled cloud server. However, in some cases, this third party may have greater financial resources than the company and may be able to acquire state-of-the-art security systems.

In any case, if the new system is hosted and provided by a third party in cloud computing mode, an agreement between the company and the third party is strongly recommended, or even mandatory in some cases, to govern the processing of personal information shared by the company with that third party.

While it is true that technology can increase a company's productivity, care must be taken to implement it properly and to avoid any surprises resulting from poor management of personal information used by this new technology. 

The question is not whether or not your company will be the object of a cyber attack, but when and if it is ready to face it.

Our Technology Law and Privacy Practice Groups can help you implement internal processes for managing personal information as part of the implementation of new technology. Our professionals can also prepare you to act in the event of a cyber attack or simply to respond to requests from individuals from whom you collect personal information.