New privacy law presents risks to companies
Stakeholder conversations are vital, Ari Indyk says.
Companies should engage in a proactive dialogue about data privacy.
The Canadian privacy landscape has undergone a seismic shift. On Thursday, the federal government brought into force key provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), a cornerstone of Canadian privacy regulations.
Canadian organizations are now legally obligated to report a breach of security safeguards to the privacy commissioner, keep a comprehensive record of every breach for two years, and notify affected stakeholders when there is a real risk of significant harm.
These new regulations will affect the Canadian business community, including both large corporations and small businesses. According to Statistics Canada, more than one in five Canadian companies were hit by a cyberattack last year, and only 10 per cent reported it to lawenforcement agencies.
So, while the updates to PIPEDA provide enhanced protection for consumers, they also generate increased risks for businesses.
There are, of course, legal risks around compliance and potential litigation. There are also economic risks, as failure to comply with the new regulations can trigger fines up to $100,000.
But where PIPEDA will really drive heightened risk for business is around reputational impacts.
The mandatory disclosure requirements under PIPEDA mean companies face greater exposure and scrutiny from internal and external stakeholders.
According to the Edelman Trust Barometer, our company’s annual study of public trust in key institutions, 80 per cent of global consumers believe that failure to protect customer information affects trust in a company, highlighting the direct link between reputation and data security.
So, what can Canadian companies do to mitigate the reputational risks stemming from Thursday’s changes to PIPEDA?
First, companies should engage in a proactive dialogue about data privacy. The first time a company discusses data privacy with its stakeholders should not be in the aftermath of a breach. To help inform that dialogue, companies can develop a core privacy narrative that enables them to frame the conversation, demonstrate good governance, and highlight their commitment.
To prepare for a potential breach, organizations should also have a data incident communications response plan that guides communication with key stakeholders, including customers, employees, business partners, government officials, and media.
Preparation also requires practice. The response team should train around the communications plan, simulating a high-risk, high-probability scenario that tests the plan and bolsters team performance.
If a breach does occur, how an organization responds will have a significant impact on their reputation. The Edelman Vancouver Crisis and Risk Practice Group recently analyzed the five largest breaches, over the past five years, among Fortune 500 companies. We compared communications strategies against stock price performance and what we found were several best practices among those companies that best weathered the storm.
First, these companies proactively disclosed the incident and participated in discussion around the breach, enabling them to credibly shape the public narrative. They also had a regular cadence of communications with affected stakeholders that conveyed empathy, awareness, and action. Lastly, their C-suite was visible during the response, be it the CIO, CISO, or CEO, which demonstrated accountability and the priority being ascribed to the incident.
Thursday’s updates to PIPEDA mark a major shift in the regulatory landscape. Canadian businesses should ensure they understand how these changes affect their organization and what steps they can take to reduce their risks.
More broadly, these new regulations will feed an evolving conversation about how companies acquire, process, store, handle, and share consumer data. It’s an important conversation, and one that every Canadian company should be prepared to have with its stakeholders.