Deloitte

Deloitte's privacy professionals have developed a methodology to assess and evaluate an organization's readiness for the Act's requirements. Areas to be addressed include procedures, policies and codes, processes, employee education, and safeguards. Based on the assessment, Deloitte uses a combination of management and technology solutions to design an effective compliance framework tailored to the risks and exposures facing individual organizations.

Privacy Compliance

A framework for action

There are clear competitive advantages for companies that take privacy seriously. Identifying the challenges unique to your organization and understanding the opportunities inherent in privacy compliance are necessary stepping stones to building a framework for action.

Challenges

• Meeting complex cultural and regulatory environments
• Identifying and controlling cross-border data flows
• Managing upstream and downstream flows in the extended enterprise
• Developing a strategy for compliance and competitiveness
• Understanding the opportunities in the changing technology space
• Determining the proper data usage to support the business model and privacy strategy
• Driving the value of privacy into the organization

Opportunities

• Branding: Enhance the organization’s reputation by helping customers feel more secure.
• Competitive Strategy: Make superior privacy policies and procedures known.
• Regulatory: Understand the laws in each jurisdiction where the organization does business. Meet the most stringent requirements, while enhancing business opportunities.
• Organizational: Privacy compliance facilitates improved organizational functioning.
  Driving the value of privacy throughout the organization ensures compliance. Staff training improves morale and customer relations. Chief privacy officer position assigns responsibility and authority and ensures continual monitoring for ongoing success.

Phase 1: Assess

Identify all current systems for collecting storing, using and disseminating personal information. Analyse gaps between current systems and the requirements of privacy legislation.

Phase 2: Design

Develop a strategic plan for achieving compliance, including a detailed project plan providing direction, methodology and tools.

Phase 3: Implement

Change, amend or create systems, procedures, forms, contracts to reflect compliance.

Phase 4: Monitor

Ensure ongoing compliance with regular reviews and audits.

Common Privacy Principles

18 essential practices

1. Data collection must be lawful and fair.
2. Personal information must be collected for a specific, disclosed purpose.
3. Data collection must have the individual's consent.
4. The individual must be given a choice about providing information.
5. Data must be accurate, timely and relevant to the purpose for which it is collected.
6. Data must not be used for or be capable of being used for discriminatory purposes.
7. Privacy policies and procedures must be published.
8. The individual must have the right to access, correct or delete personal information.
9. Trans-border data flow restrictions must safeguard information.
10. Future use and disclosure of personal information is not permitted without specific informed consent.
11. Personal information shall be protected by security safeguards appropriate to its sensitivity.
12. Security safeguards shall protect personal information against loss or theft, unauthorized access, disclosure, copying, use or modification.
13. Minimum and maximum retention periods must be established.
14. Personal information that is no longer required for identified purposes should be destroyed, erased or made anonymous.
15. Organizations shall develop guidelines and implement procedures to govern information destruction.
16. Care shall be used in disposing of or destroying personal information.
17. An identifiable contact person must be designated for consumer inquiries.
18. An organization shall investigate all complaints, and take appropriate measures, including amending its policies and practices, if justified.

Don Sheehy

Telephone: 416 601 5863

Email:  dosheehy@deloitte.ca