Data Privacy Day 2023: Best Practices for Safer, More Secure Data Management
Anyone who knows me knows my lifelong passion for all things data. From asking the right question to building the right methodology, data and data-driven decision-making has been at the forefront of innovation and civic progress for generations. International Privacy Day provides an opportunity to reflect on the progress made and where to focus our efforts going forward to ensure that data providers and data consumers have the processes to sustain a privacy-compliant and progressive world.
We are at an interesting juncture as a profession where legislation is evolving as rapidly as technology. It is incumbent for the entire community to align behind best practices to ensure a stable infrastructure that enables data-driven decision-making across all industry sectors. Here are a few areas to commit to for 2023 and beyond to maintain the highest standards of privacy, controls and procedures to safely manage data and serve Canadians.
1. Document an effective privacy management program. This is a critical deliverable under Bill C-27, and if you don’t have a program in place, now is the time to build one. At EA, we have embedded our advanced program into all aspects of our data and service delivery. Our best practices include:
- The protection of all data, including personal information
- Training and information provided to staff respecting its policies, practices and procedures
- Documenting data privacy practices to explain our policies and procedures
- Mapping data throughout the entire lifecycle (using data flow diagrams) and governance for each department on collection, access, processing, storing,, , using and distributing data
- Carrying out risk and privacy risk impact assessments
- Adapting to a privacy by design framework as a default corporate approach
2. Make a commitment to privacy, and communicate it broadly. Organizations are responsible for the data that is under their control and must be devoted to high standards that require honesty, integrity, transparency and fairness. Protecting the privacy and the confidentiality of personal information is fundamental to all stakeholders.
At EA, we make the following commitments and encourage all organizations to take a similar approach:
- Be accountable for all data that is under our control
- Commit to the fair information principles for how we collect, use and disclose personal information
- Make every effort to be transparent about our privacy practices
- Set policy with firm data retention rules
- Operate in accordance with strict privacy and security policies and procedures
- Undergo rigorous audits such as SOC1, SOC2, HIPAA, TRUSTe Data Collection, and Privacy by Design to validate you are operating at the highest auditable standards for data processing, security and privacy
- Adopt a proactive approach to comply with changing Privacy Laws
3. Manage and deploy information security safeguards. Stakeholders expect us to demonstrate that we collect data appropriately, keep it secure and use it for purposes that advance their interests.
At EA, our approach to security incorporates a mature data governance program ensuring protection throughout the lifecycle of the data. Our commitment is to make every effort to keep personal information secure, and ensure we use appropriate physical, technical and administrative safeguards. Data protection is embedded into our systems, projects and services from the beginning, starting with design. To accomplish this, we have policies, controls and processes related to secure data transfer, cyber security, storage, retention, access encryption, , anonymization, re-identification risk, data quality and privacy risk assessments. All of these functions represent security best practices that are auditable and incorporated into our security awareness programs.
4. Ensure you are working with compliant data products. Data are complicated. The algorithms, workflows and privacy-enhancing technologies are built into our methodologies to produce high-quality normalized and representative results that must be de-identified, aggregated and without the possibility of re-identification. Paramount among our privacy compliance practices at EA are those embedded in product development: how we build the databases that thousands of users rely on daily—PRIZM®, DemoStats, SocialValues, Opticks, WealthScapes, MobileScapes and many more. Our databases do not use Personal Information as inputs. We use de-identified, aggregated, and anonymized data from reputable sources, including governments, market research companies, data aggregators and providers of “big data”. Our expert data scientists model the data to small area geographies such as a postal code or neighbourhood to ensure privacy compliance via our industry-standard Privacy Impact Assessment process. We also embed privacy into all aspects of our consulting services, including our recently launched EAVault Clean Room service.
The road ahead
Organizations need to stay vigilant and proactive in protecting themselves from privacy and security risk. Data is continuously evolving, and so is the legislation that safeguards it. Compliance must be a top priority for all organizations to maintain the trust of our clients, consumers and citizens.
If you have any questions regarding how to build a privacy-compliant program or would like more information on our policies and procedures, please feel free to contact me. Let’s keep the conversation going beyond International Privacy Day.
Jan Kestle is the President and Founder of Environics Analytics, and has been a leader in data and analytics for over five decades. An expert in using statistics and mathematics to solve social and business challenges, she has worked with hundreds of organizations in all sectors to support their data-driven decision-making. She is a member of the Canadian Statistics Advisory Council, Western University’s Morrissette School of Entrepreneurship and the Ted Rogers School of Management’s Dean’s Advisory Council.
Environics Analytics is an active member of the Canadian Marketing Association’s Privacy and Data Advisory panel, the Canadian Anonymization Network (“CANON”) and the International Association of Privacy Professionals.
PRIZM is a registered trademark of Claritas, LLC.