In our previous article we invited SMBs to find the industry sector they operate in on our MPC Privacy Framework Quadrant.
There are many Canadian businesses in the “niche supplier” quadrant. If you are a part of this type of organization, you may be thinking:
“we don’t collect personal information, there is nothing for me to worry about”
Consider this then:
- You have employees and you need to onboard them and pay them: right here you collect a lot of personal (and quite sensitive) information
- You have customers and even if these are businesses, you have contact names, emails, phone numbers
- You have suppliers and you keep track of their contact information
- Do you deal with logistics companies and track shipments? How?
- Do you have CCTV surveillance anywhere on your premises?
Ask yourself: how many times has a supplier given you (or you to a customer) your own personal cell phone so they can quickly get a hold of you?
So they don’t just have your business details, but possibly some elements of your private information.
Would you not want that information protected?
Even though under the federal privacy legislation for the private sector (PIPEDA), a business contact is not covered by this law, in many other countries this information is.
If your business is primarily based in Canada you may also have to find out if there is a provincial law (like in Quebec, Alberta or British Columbia) that you may have to check your obligations under.
Selecting a privacy framework to build your privacy program with is the surest way to include the foundational elements you need to protect personal information from all sources, irrespectively of the privacy laws you need to comply with.
There is another huge advantage to use reliable privacy frameworks: you can future proof your privacy compliance program and your business growth.
With success and business expansion, you may depend on more data, collect more data but you will also have to be more responsible and demonstrate that you are indeed protecting this valuable data.
Here are some reputable Frameworks in the Niche Supplier quadrant:
- Getting Accountability Right with a Privacy Management Program
- Privacy by Redesign PbRD™
- NIST 800-53 rev 5 Standard – encompasses both privacy and security controls based on a risk baseline
- MITRE Privacy Maturity Framework v1
What do these frameworks have in common? They bring information practices in the “privacy safe zone”.
These frameworks address common areas that Regulators anticipate to see in a privacy programs:
- Accountability (Leadership and Organization): includes oversight and individual responsibilities to access and use the collected information
- Training and Awareness: building a culture of privacy
- Incident/Breach Response
- Engineering privacy into products, services and platforms
- Information Security for personal information
- Privacy Risk Management (including monitoring compliance and reporting)
- Embedding privacy into business processes and practices
- Redress and transparency
Regardless of the size of your organization, you can use the MPC’s Practical Privacy Playbook (P3™) to understand what practices you have built, whether these practices are sufficiently mature to help bring your organization’s information in the Privacy Safe Zone and to future-proof your privacy program. Using the P3 Playbook and a framework (or a combination of frameworks) ensures you have a harmonized approach to your privacy compliance obligations, and reduces the risk that your customers’, suppliers’ and employees’ personal information is not appropriately protected.
 Getting Accountability Right Framework: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/gl_acc_201204/
 Co-authored by the Co-Founder of Managed Privacy Canada: https://iapp.org/media/pdf/resource_center/pdb_framework_implementation.pdf