Breach notification plays out differently within various sectors in Ontario. From health legislation to municipal regulations, incident obligations can vary and sometimes operate in a gray area or piggyback off “best practice” approaches.

Hashing is a popular tool in data analysis for businesses, known for its ability to convert personal data into an anonymous format. However, hashed data is not truly anonymized and can be vulnerable to attacks that may re-identify the original data. To ensure data privacy, it's important to use hashing alongside other methods like encryption and tokenization, and to understand privacy regulations and best practices. This approach provides a more robust way to safeguard sensitive information. Explore advanced techniques to protect your data assets while maintaining privacy and security.

Data clean rooms have emerged as a pivotal solution for retailers seeking to harness the power of data collaboration without compromising privacy. For retailers, the advantages are numerous: from gaining deeper insights into customer behaviour to enhancing targeted marketing strategies, data clean rooms offer a treasure trove of opportunities. However, the journey has its challenges. Retailers must navigate issues such as data integration complexities, compliance with privacy regulations, and the need for robust security measures. Choosing the right data clean room is crucial and involves evaluating factors such as scalability, ease of use, and the ability to integrate with existing systems. This article delves into the intricacies of data clean rooms, exploring their benefits, challenges, and key considerations for retailers aiming to leverage this innovative technology.

Last week, Bamboo hosted a Privacy & Retail Workshop with several national retailers in attendance. This workshop was a huge success! The discussions in the room focused on privacy implementation in retail and facilitated the exchange of lessons learned and how to grow a business alongside privacy compliance. What stood out most to the Bamboo team was the undeniable truth of the shared challenge every retailer faces on the journey to bolstering their company’s privacy posture – communication.

At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.

The criteria for obtaining lawful consent was discussed in depth in our Law 25 Consent White Paper released late 2023. The CAI published its final consent guidelines (Guidelines 2023-1-Consent: Validity Criteria (“Consent Guidelines”)) providing us with a clearer picture and refined guidance on what is required for consent to be valid.

When dealing with privacy and security, everyone jumps straight onto the compliance bandwagon. There are set laws, frameworks, regulations, standards and other checklists that allow you as a business to proudly state that you are compliant. But does ‘to-the-letter’ compliance match the public’s expectations?

Like Europe and the UK, Quebec’s Law 25 has moved closer to ensuring that customers control how, when, and where their personal information is processed. Consent ensures that your customer’s personal information is treated like the precious cargo it is – handled with care and not tossed into the sea of manipulation. Consent allows the customer to set boundaries and feel like they are driving.

In today's digital landscape, businesses face an ongoing struggle to strike the right balance between security and privacy. While robust security measures are essential to protect sensitive data and assets, maintaining customers’ and employees’ privacy is equally important to establish trust and comply with regulations. Privacy by Design (PbD) incorporates this as a principle (more on that in a future article), stating that it should not be a “zero sum” game; privacy and security should work together and not be in competition of one or the other.

When you are a SaaS provider, you have control over the software you develop, as well as the deployment processes. You are good at securing your cloud and ensuring privacy legislation is adhered to. But, what happens when you offer an on-premises or hybrid solution that clients deploy on their own (or with your assistance)? How do you ensure that the software is still being kept in a secure state and that there won’t be any collateral damage and finger pointing should something go horribly wrong?

We’ve seen a significant increase in the number of security assessments our clients are receiving from their own clients. For the more medium-size company, it starts becoming pertinent to align to a particular standard, of which there are many to choose from, each with their own merits and focus areas. One such standard that is very widely recognised, is ISO 27001.

What happens when you cannot see the forest for the trees? There are so many threats out there it’s hard to keep up with which ones directly (and materially) affect your business. Businesses can waste tremendous time and effort in addressing generic threats that do not directly relate to their business, simply because it seemed like a good idea (or someone in power heard about it at the last conference they attended).

There’s something distinctly wrong about waiting for things to go wrong, and then patching and fixing it after the fact. This is something that happens all the time when it comes to security of software applications. All too often, security is considered as an afterthought, or when you’re rolling around to quality assurance, and not when the actual development has taken place.

Companies are so focused on collecting data because of its value that they often neglect something that is even more valuable because of its rarety - TRUST. This article discusses the four building blocks to earning trust, which will result in a company being more profitable, more relevant and future-ready for a data paradigm shift that is coming. When a company implements these four building blocks - Clarity, Culture, Craft and Communication - it will have a competitive advantage.

A big risk facing many companies today is what is known as “purpose creep” or “secondary purpose.” This is when personal information is collected for one purpose but is also used for a different purpose. If the individual who provides their information is not aware of the secondary purpose or does not provide consent to use the information for that other purpose, it may result in misuse of personal information, which is a breach.

It sounds like a good idea. You’ve got a legal team on retainer, and they are completing a project for all your documents, so why not let them do your security and privacy documents too? Well, the fact is, Privacy and Security are specializations on their own, and this can lead to some pretty stark missteps in your policy implementation if they aren’t drafted to match your operations.

We have all heard about the privacy versus convenience dilemma. There is also a trade-off between security and convenience. More security controls add a layer of complexity (and dare we say inconvenience) to opening files, transmitting information, and sharing data with others, which does not always make for a seamless process or gain customer satisfaction.

Classification of data within your possession is not necessarily something that a lot of companies (particularly smaller ones) think of, but the practice is becoming a regular requirement of security attestations and Data Processing Agreements (DPAs). Within the privacy and information security spaces, different types of information are treated differently, be it relating to how it is stored, or even where it is transferred (for example, there may be restrictions on transferring medical details outside of your country of residence).

In-house counsel designated as a Privacy Officer should seek assistance from privacy experts to help them succeed in their new role.

Embedding privacy into educational online tools