Skip to content

10 things businesses need to know about protecting personal information

B.C. Information and Privacy Commissioner Michael McEvoy says a customer’s trust is one of the most valuable assets a business of any size can have.
Data privacy
Ensuring customers' data remains protected can help businesses keep consumer trust and assist in building business.

B.C. Information and Privacy Commissioner Michael McEvoy says a customer’s trust is one of the most valuable assets a business of any size can have.

“Protecting people’s personal information is crucial to maintaining that trust,” McEvoy said. “Organizations need more than good intentions to achieve this – they need a plan.”

He said the commissioner’s office’s PrivacyRight program offers a step-by-step guide for businesses for building a comprehensive privacy management program.”

So, what are the top 10 things businesses should be looking at to protect customers’ personal information?

1. Assign a privacy officer: Depending on the size of your business, this might be you, but you must have a dedicated staff member who can oversee how your organization handles personal information and respond to privacy questions or complaints.

2. Know what you have: Conduct an inventory of all the personal information in your custody, why you have it, how sensitive it is and where it’s stored.

3. Assess risk: Determine whether you have adequate security safeguards in place to protect the personal information in your custody.

4. Write privacy policies that people can understand: Keep it straightforward and in plain language, not “legalese.”

5. Develop and follow a records retention schedule: Don’t hang on to personal information that no longer serves a legitimate business purpose.

6. Develop a breach management plan: Having a breach management plan in place gives you a plan to ensure that if you are subject to a privacy breach, you’re able to mitigate the worst effects and work quickly to rebuild customer trust.

7. Train and train again: Make privacy a part of your training protocol for employees. (See the OIPC’s PrivacyRight program for a host of resources suitable for this purpose.

8. Hire someone to test your defences: Hiring someone to do “pen” or penetration testing – such as simulating a cyberattack on your data – is one way you can see how well your defences would hold up in the face of an actual attack.

9. Know your partners: While banks are highly regulated, and that regulation confers a level of trust, the same isn’t always true with data storage. Thoroughly research anyone who will be handling your customer’s data.

10. Review and revise: Privacy threats are ever-changing, so it’s important to ensure that your privacy policies, safeguards, breach response plans and training are updated regularly.

— With thanks to the Office of the Information and Privacy for compiling the lists at the request of Glacier Media.

jhainsworth@glaciermedia.ca

Twitter.com/jhainswo