Small business owners should never dismiss the importance of protecting customers’ privacy. Privacy laws apply to all business, regardless of size. Treating customers’ private personal data can help you maintain customers’ trust and avoid potential lawsuits.
Learn the reasons you need privacy policies, then follow the necessary steps to develop a privacy strategy for your business.
Reasons to protect customer data
Media often emphasize security breaches of large organizations such as Facebook and Sony. Breaches at small businesses and microbusinesses may not be as newsworthy, yet the impact is no less serious. Breaches and cyberattacks could potentially devastate microbusinesses and completely shut them down.
In reality, smaller enterprises are being targeted more and more because they often lack the resources to counter such attacks. Even so, entrepreneurs’ lack of resources or ignorance of applicable laws doesn’t diminish their responsibility to protect customer information.
Benefits of protecting customer data
All business owners and entrepreneurs have a moral and legal obligation to treat customer data fairly and respectfully. A strong privacy policy
- increases sales
- mitigates business and legal risks
- adheres to good privacy practices
- fosters customer trust and goodwill
- anticipates or responds to questions
- ensures compliance within your organization
- supports marketing efforts and training efforts
The more you take measures to protect your customers’ information, the more trust and potential loyalty they’ll have for your company.
Canadian privacy laws
Most businesses in Canada must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA regulates how businesses collect, use and disclose the personal information they gather in the course of business operations. PIPEDA requires you to
- understand the data you can and cannot collect from a driver’s licence
- protect employee records if you conduct business in federally-regulated sectors
- understand how to seek permission to collect, use or disclose an individual’s personal information
- protect personal data if you transfer personal information across borders to organizations in foreign countries
In addition to PIPEDA, Alberta businesses are also bound by the province’s Personal Information Protection Act (PIPA). In force since 2004, PIPA applies to private sector organizations and businesses, as well as to some non‑profit organizations. PIPA regulates the protection of personal information right of access to an individual’s own personal information.
Organizations subject to PIPA must develop and follow policies to meet their obligations under the Act. PIPA requires every organization to assign an individual responsible for compliance with the Act. Avoid trouble by ensuring that someone within your organization is responsible for data privacy.
Personal information protection policy requirements
When developing a privacy policy, you should first conduct a data privacy audit. Determine the data your business needs. Be aware that, if your organization uses third-party software to mine data, you may be collecting more than you realize. To determine how best to protect your business and customers, ask yourself the following:
- Do you collect information from or about persons under the age of 18?
- Do you collect customers’ credit card numbers or other sensitive financial or medical data?
- Do you collect Social Insurance Numbers (SINs), driver’s licence information, addresses or telephone numbers?
- How do you collect data? (e.g., online forms, paper forms, online transactions, payment terminals, bank machines, mobile devices, secure networks)
- How long do you need to keep information collected?
Once you’ve determined the data you’re collecting, consider how it’s being stored and secured. You have legal obligations if you handle medical or financial information, or data relating to minors.
What you don’t have can’t hurt you. Collect and store only the data you need. Limiting what you collect reduces your potential liability in the event of a data breach. The cost of collecting, storing and archiving data is also less.
Be sure to secure the data you do retain, and keep it only as long as necessary. Destroy information no longer needed for an identified purpose or legal requirement.
Understand your data’s lifecycle, and develop appropriate guidelines and procedures. These should specify
- how long to retain data (i.e., minimum and maximum retention periods)
- when to regularly review information to determine whether it’s still needed
- when and how to destroy personal information
- methods of disposing of information (e.g., shredding, secure deletion of electronic files) to ensure that it cannot be accessed improperly
Communicating your privacy policy
Ensure that your customers are aware of your privacy policy. Communicate it in your contracts, brochures and other print literature. If you have a website, you’re required by law to post your privacy policy. Similarly, if you use a web application that transmits data, you require a privacy policy. Such policies are legally binding agreements between your business and your customers.
If you rely on service providers outside of Canada to collect, use, disclose or store personal information, your policy must identify the countries in which such data collection, use, disclosure or storage occurs or is likely to occur. Your privacy policy must also specify the purposes for which the provider is authorized to collect, use, disclose personal information for or on behalf of your organization.
Understanding privacy issues
If your business handles large volumes of personal information, it’s important to stay abreast of developments and best practices. Visit the Office of Privacy Commissioner to learn more.
It’s also a good idea to consult with an experienced corporate lawyer. The team of business lawyers at Lift Legal is available to advise you on issues related to privacy and protecting personal information. Contact us today.