Small business owners should never dismiss the importance of protecting customers’ privacy. Privacy laws apply to all business, regardless of size. Treating customers’ private personal data can help you maintain customers’ trust and avoid potential lawsuits.
Learn the reasons you need privacy policies, then follow the necessary steps to develop a privacy strategy for your business.
Reasons to protect customer data
Media often emphasize security breaches of large organizations such as Facebook and Sony. Breaches at small businesses and microbusinesses may not be as newsworthy, yet the impact is no less serious. Breaches and cyberattacks could potentially devastate microbusinesses and completely shut them down.
In reality, smaller enterprises are being targeted more and more because they often lack the resources to counter such attacks. Even so, entrepreneurs’ lack of resources or ignorance of applicable laws doesn’t diminish their responsibility to protect customer information.
Benefits of protecting customer data
- increases sales
- mitigates business and legal risks
- adheres to good privacy practices
- fosters customer trust and goodwill
- anticipates or responds to questions
- ensures compliance within your organization
- supports marketing efforts and training efforts
The more you take measures to protect your customers’ information, the more trust and potential loyalty they’ll have for your company.
Canadian privacy laws
Most businesses in Canada must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA regulates how businesses collect, use and disclose the personal information they gather in the course of business operations. PIPEDA requires you to
- understand the data you can and cannot collect from a driver’s licence
- protect employee records if you conduct business in federally-regulated sectors
- understand how to seek permission to collect, use or disclose an individual’s personal information
- protect personal data if you transfer personal information across borders to organizations in foreign countries
In addition to PIPEDA, Alberta businesses are also bound by the province’s Personal Information Protection Act (PIPA). In force since 2004, PIPA applies to private sector organizations and businesses, as well as to some non‑profit organizations. PIPA regulates the protection of personal information right of access to an individual’s own personal information.
Organizations subject to PIPA must develop and follow policies to meet their obligations under the Act. PIPA requires every organization to assign an individual responsible for compliance with the Act. Avoid trouble by ensuring that someone within your organization is responsible for data privacy.
Personal information protection policy requirements
- Do you collect information from or about persons under the age of 18?
- Do you collect customers’ credit card numbers or other sensitive financial or medical data?
- Do you collect Social Insurance Numbers (SINs), driver’s licence information, addresses or telephone numbers?
- How do you collect data? (e.g., online forms, paper forms, online transactions, payment terminals, bank machines, mobile devices, secure networks)
- How long do you need to keep information collected?
Once you’ve determined the data you’re collecting, consider how it’s being stored and secured. You have legal obligations if you handle medical or financial information, or data relating to minors.
What you don’t have can’t hurt you. Collect and store only the data you need. Limiting what you collect reduces your potential liability in the event of a data breach. The cost of collecting, storing and archiving data is also less.
Be sure to secure the data you do retain, and keep it only as long as necessary. Destroy information no longer needed for an identified purpose or legal requirement.
Understand your data’s lifecycle, and develop appropriate guidelines and procedures. These should specify
- how long to retain data (i.e., minimum and maximum retention periods)
- when to regularly review information to determine whether it’s still needed
- when and how to destroy personal information
- methods of disposing of information (e.g., shredding, secure deletion of electronic files) to ensure that it cannot be accessed improperly
Understanding privacy issues
If your business handles large volumes of personal information, it’s important to stay abreast of developments and best practices. Visit the Office of Privacy Commissioner to learn more.
It’s also a good idea to consult with an experienced corporate lawyer. The team of business lawyers at Lift Legal is available to advise you on issues related to privacy and protecting personal information. Contact us today.