Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/1045898
72 LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2018 | DATA PRIVACY | communicate if systems are down; what are the key messages that need to be commu- nicated; how frequently will the response team meet to determine next steps; and who will be the outside providers, includ- ing external counsel, forensic experts, and IT consultants?" said Ruth Promislow in Bennett Jones LLP's Toronto office. en there are the issues relating to third parties who are handling personal information for companies. "Clients must ensure that service providers handle data properly by including appropriate contrac- tual obligations in their agreements and by selecting providers who have good privacy policies," Wasser said. Contractual terms for data protection are becoming more common, Wasser notes, because clients are now trying to avoid being drawn into litigation where a third-party service provider has suffered a breach or has been subjected to a regulatory investigation. "Clients will have to make greater efforts to address the issues in ad- vance and obtain the appropriate indemni- ties," Wasser said. "I've seen contracts that contain everything from a broad statement of appropriate measures that are satisfac- tory, to specific requirements for firewalls, encryption, and data transfer protocols." COPING WITH EVOLUTION Complying with domestic federal and provincial legislation, however, is but part of the picture. As privacy laws emerge and change rapidly throughout the world, or- ganizations ranging from Canadian mul- tinationals to small and medium-sized businesses (SMEs) that have no physical presence in other jurisdictions but sell or even advertise to consumers there, online or otherwise, must cope with the evolution. Take the GDPR, for example, which has extensive extra-territorial reach. "Any com- pany, wherever it is in the world, that offers products or services in the EU and whether it has a physical establishment there or not, must comply with the GDPR regarding the processing of personal information," Ber- nier said. Even companies that don't face the EU on the client or customer side may find themselves dealing with the GDPR. "Very locally focused organizations which have service providers from the EU are sud- denly being confronted with requests to application, implementation and modern- ization of all aspects of privacy policy," Bernier says. "e framework should clearly set out who is on the cyber response team and how internal compliance will be managed, as well as formulate a breach re- sponse plan for all jurisdictions in which the company operates." Good governance links organizations effectively from top to bottom and from side to side. "e CEO must be engaged because she should always be involved in managing risk, managers must implement the C-suite's policies, including the su- pervision of staff, and all staff must truly adopt the concept of privacy as a matter of ethics," Bernier said. "Good governance is the mechanism that brings good polices to life." Nishisato is adamant that breach re- sponse plans be tested by way of simula- tion. "It can't just be a piece of paper sitting on a shelf, because it can easily be derailed," he said. "What happens, for example, if email goes down as part of a hack? How will people communicate?" What is clear is that regulators are bear- ing down on what they expect from com- panies collecting personal information. "Just restating PIPEDA [Personal Informa- tion Protection and Electronic Documents Act] in 20 pages doesn't cut the mustard anymore," said Lyndsay Wasser, the To- ronto-based co-chair of McMillan LLP's privacy and data protection group. "Broad principles like 'consider who to notify' have given way to policies that go into the details of dealing with a breach." An effective "playbook," then, must an- swer certain basic but critical questions. "ey include who are the key decision makers; how do you get in touch with them; how do you classify incidents; how and when do you escalate; how will people update agreements or clauses so they com- ply with the GDPR," says Ryan Berger in Norton Rose Fulbright Canada LLP's Vancouver office. Global compliance, however, is a te- dious business. "First, you have to find out where the data is stored, and which juris- dictions and laws are engaged," Nishisato said. "Once that fact-finding is complete, clients need to obtain proper advice in each jurisdiction." But completing the fact-finding is eas- ier said than done. "Data mapping is the hardest part of compliance, partly because many organizations start from a very low baseline," Bernier said. Some clients balk at the cost and intru- siveness of the endeavour. "Part of what we do is educate our clients that, if they don't go through the process thoroughly, the whole organization might be at risk," Nish- isato said. Still, solutions must be cost effective. "Counsel have got to think privacy issues through from a practical point of view," said eo Ling in Baker & McKenzie's To- ronto office. "On the one hand, you have to appreciate what the various laws say you have to do, but you've also got to figure out how to interpret them and choose the best way forward from a business risk and op- erational perspective." It helps that privacy laws are converg- ing worldwide. "My view is that privacy laws are becoming more aligned even as the general standard goes up," Ling said. "While there are scenarios where there's a requirement to notify in certain juris- dictions but not in others, the ones that require notification all focus on some as- sessment of the risk of harm and a way to determine that risk." By way of example, Ling said he believes that the timing of the announcement of Canada's new notification regime — in the works since 2015 — was "partly or signifi- cantly prompted" by the enactment of the GDPR, which, among other things, intro- duced breach notification as apart of EU privacy law. "It was a bit of an imperative that the November implementation was announced in April, just before the GDPR came into force," the lawyer said. "No doubt Canada wishes to maintain its 'ad- equacy' status by which the EU recognizes that Canadian privacy laws are 'equivalent', FRANCESCA GAUDINO BAKER MCKENZIE LLP "Organizations need to put themselves in a position to respond quickly because there's not time for planning while the cyberattack is happening."