How We Process Data

At Environics Analytics (EA), we don’t collect data directly from consumers to create our data products. Instead, EA partners with different companies who share non-personally identifiable information with EA. For the data we use to build our data products, we follow a Data Ingestion process comprised of the following steps:

• Scrutinize Data Supplier and Potential Data
• Execute Privacy Impact Assessments
• Sign Legal Paperwork
• Receive Data from Data Supplier

Before we create any data products, we conduct a Privacy Impact Assessment (PIA) to identify any potential privacy risks. Environics Analytics first meets a potential Data Supplier to develop a business relationship. This process is governed by the "Data Sources and Data Products" policy within EA's Privacy Policy. Environics Analytics determines if there is a fit for the supplier's data into one of our data products.

If the Data Supplier passes the preliminary assessment, EA works on formalizing an official business relationship. The first step in this process is to ensure that the Data Supplier has satisfied the legal requirements that enables them to share data with Environics Analytics. This check is done by executing a Vendor Risk Assessment (VRA) and ensuring that the Data Supplier has obtained the proper consent to share the data. This process is governed by the "Privacy Management Program" policy contained within EA's Privacy Policy.

Under Quebec Law 25, de-identified data should be given the same protection rights as Personal Information. As such, Environics Analytics assumes that any data received from Quebec is Personal Information, and the user must grant appropriate consent before it can be shared with EA by the Data Supplier. After the VRA has been executed, if the Data Supplier satisfies the above criteria in their privacy notice, we agree that they have obtained proper consent to share data with EA.

Environics Analytics does not create data products using "Personal Information" and therefore, does not receive personal information from its data providers. Therefore, no express consent should be required to share this type of data with EA.

Since not all data that Environics Analytics uses in its data products relates to individuals (store locations, for example), the VRA will determine if the data collected is appropriate for obtaining meaningful consent by determining the risk to the individual if the information was breached. If the Privacy Office determines that the data collected is not attributable to an individual, then the Data Supplier will not need to satisfy valid consent requirements.

In addition to reviewing privacy risks, a Vendor Risk Assessment will be conducted by the Compliance Office for the Data Supplier to determine if they have the proper security safeguards to prevent a data breach. This process will also investigate the Data Provider to review:

• What Privacy Enhancing Technologies they employ
• How they have implemented Privacy Solutions in their data flows
• The technical specifications that preserve privacy
• How they have integrated privacy concerns into their data collection process

Those companies who provide us with data must sign a contract and adhere to the supplier code of conduct. Click here to review our Supplier Code of Conduct.