With the recent wave of privacy reforms sweeping across Canada and abroad, including changes to the privacy legislation in Quebec with Bill 64 (“Quebec Privacy Law”) and the proposed reform to the federal private sector privacy legislation with Bill C-27, the role privacy officers play in organizations has garnered significant attention. Having gained substantial leadership experience as a privacy officer, what follows in this article is the perspective I gained in these unique and essential roles. Each mandate, while quite different in practice, harvested similar lessons that I believe every practitioner working in the privacy sector should adopt to maximize their effectiveness within their organization. The following are seven key lessons every privacy officer or practitioner should know.
1. Obtain Support from the Top
For any privacy officer to be effective in their role, they must be supported from the top, a principle that was codified by the Quebec Privacy Law, which clearly states that an organization has to ensure that its privacy officer has the authority to ensure that the organization is in compliance with the Quebec Privacy Law. The Quebec Privacy Law appoints the CEO as the privacy officer by default, unless the CEO delegates this responsibility to someone else in the organization.
Unlike the Quebec Privacy Law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and other similar privacy legislation in Canada does not explicitly state that the individual “exercising the highest authority in the organization” is accountable for ensuring compliance. However, it is important for an organization to empower the privacy officer with the necessary authority to obtain and uphold compliance, and act as the face of privacy compliance for the company.
Quite simply, if the privacy officer does not have support from the top, it is unlikely they will be able to perform their role effectively.
Please log in to read the full article.