Skip to Content

Earning consumer trust post-COVID-19

A data protection impact assessment is effective compliance tool for businesses.

Crowd walking over binary data

As the world struggles to adjust to the pandemic, it is becoming increasingly clear that business will look very different post-COVID-19. Traditional enterprises are likely to focus their sales online, and remote working is expected to remain more commonplace. As a result, companies will need to carefully consider the impact this will have on the privacy of their consumers and employees.

Indeed, a growing number of Canadians are already distrustful of how businesses handle their personal information. Surveys show they believe they have little to no control over how the data gets used.

After the pandemic, when the world settles into a new normal, companies will have to compete for a different kind of consumer. They will likely have to dedicate more of their resources to embed privacy into their business model or further improve on current practices. They would be wise to get into the habit of performing data protection impact assessments (DPIA).

A DPIA, as it is known in the EU, is a compliance tool. Its purpose is to measure the effect of privacy-invasive technologies likely to put at risk people's rights and freedoms. Under the EU's General Data Protection Regulation, or GDPR, organizations must conduct a DPIA before using technologies such as CCTVs or drones; or monitoring employees in the workplace, relying on profiling as a means for decision-making, and processing information about vulnerable groups such as children, or the sick.

A DPIA begins by detailing the personal information processing activities of a business. It asks what the purposes of processing and the business's legitimate interests are. Second is the assessment of related necessity and proportionality of the processing operations. Third, is looking at the risks to the rights and freedoms of consumers by assessing them and determining the measures to address them. A DPIA also calls for individuals to participate in the process, where appropriate. Then it should be regularly reviewed and updated for significant changes.

Here are some guiding questions to consider as part of the assessment. Who has access to the personal information? Where is it stored? How is it being used? How long is it retained? What safeguard measures are in place against unauthorized access? Many parties may participate in the preparation of a DPIA, such as an organization's privacy lawyer, IT and security team and external privacy consultants.

The Office of the Privacy Commissioner of Canada (OPC) is currently looking to modify the personal information privacy laws and bring them in line with the reality of the disruptive forces of technology. If it wants to follow in its European counterparts' footsteps, it should encourage businesses to engage in dialogue with users.

A critical goal for businesses is to design privacy into an organization's fabric. But as the champion for the undertaking, an organization's chief privacy officer (CPO) or internal legal counsel may find it challenging to get buy-in from stakeholders to budget for a DPIA. If that is the case, they should stress that business brand and reputation are at stake. The organization should use all means necessary to reduce its legal exposure to complaints and build and maintain trust with consumers and employees.

A DPIA not only shows good faith on the part of a business towards regulatory bodies and users of a product or service. It also minimizes the risks of both regulatory investigations or individual complaints. If a complaint is filed with the OPC, an organization would look to use internal resources or hire external counsel to either respond to investigations or possibly defend itself in court.

Another useful purpose is that a DPIA can assist organizations in the event of corporate restructuring or help bring up to speed those coming into new roles in the privacy office. A newly appointed CPO will certainly want to review existing privacy policies and procedures as part of her onboarding at a company. A DPIA may be the most important document to consult as it details what the privacy team needs to know about its processing operations related to the use of new technologies, where it currently stands on existing issues and future areas of focus. The contents would also be useful for training and awareness programs. The bottom line is that investing in a DPIA helps streamline related privacy processes and amortize privacy-related business expenses. According to Ariane Mole, co-Head of International Privacy Practice at Bird and Bird, chief information security officers (CISOs) or executive heads involved in the preparation of a DPIA eventually develop valuable reflexes when later confronted with high-stakes privacy challenges.

To perform a successful DPIA first requires awareness of what the benefits will be to the company. CPOs need to make senior management aware of those. They should also consider involving external consultants to communicate user feedback as this lends objectivity to the process. Once a DPIA is prepared, a company can request the opinion of the Privacy Commissioner of Canada depending on the level of risk involved to the rights and freedoms of consumers and employees and anticipated challenges.

It's hard to say how COVID-19 will change the world, but you can expect that there will be greater scrutiny over privacy issues. Managing privacy concerns will have to form a part of an enterprise's business strategy. Canadian businesses will need to continue their efforts and focus their resources on bridging the transparency gap with their consumers and employees. Conducting a DPIA for tracking and monitoring technologies with user participation to the extent possible brings a business one step closer to earning consumer trust, regardless of what the law says in Canada.