Like Europe and the UK, Quebec’s Law 25 has moved closer to ensuring that customers control how, when, and where their personal information is processed. Consent ensures that your customer’s personal information is treated like the precious cargo it is – handled with care and not tossed into the sea of manipulation. Consent allows the customer to set boundaries and feel like they are driving.

In today's digital landscape, businesses face an ongoing struggle to strike the right balance between security and privacy. While robust security measures are essential to protect sensitive data and assets, maintaining customers’ and employees’ privacy is equally important to establish trust and comply with regulations. Privacy by Design (PbD) incorporates this as a principle (more on that in a future article), stating that it should not be a “zero sum” game; privacy and security should work together and not be in competition of one or the other.

When you are a SaaS provider, you have control over the software you develop, as well as the deployment processes. You are good at securing your cloud and ensuring privacy legislation is adhered to. But, what happens when you offer an on-premises or hybrid solution that clients deploy on their own (or with your assistance)? How do you ensure that the software is still being kept in a secure state and that there won’t be any collateral damage and finger pointing should something go horribly wrong?

With the groundbreaking US adequacy decision, Canadian businesses need to aware of how EU personal data transfers to the US will impact them. This is a summary detailing what the adequacy decision means for Canadian businesses.

We’ve seen a significant increase in the number of security assessments our clients are receiving from their own clients. For the more medium-size company, it starts becoming pertinent to align to a particular standard, of which there are many to choose from, each with their own merits and focus areas. One such standard that is very widely recognised, is ISO 27001.

What happens when you cannot see the forest for the trees? There are so many threats out there it’s hard to keep up with which ones directly (and materially) affect your business. Businesses can waste tremendous time and effort in addressing generic threats that do not directly relate to their business, simply because it seemed like a good idea (or someone in power heard about it at the last conference they attended).

Call centres are often the first point of contact between customers and businesses. Over the past few years, with advances in technology, including AI, call centres are collecting more personal information than before and using it in novel ways. This article explores how call centres may violate privacy and what they can do to reduce their risk of non-compliance.

Collecting geolocation information can be useful to your business, however, if not done properly, not only will you be non-compliant with privacy regulations, get fined, and find your company in a class-action lawsuit, but you will be classified as that “creepy stalker” that nobody wants to associate with. Read up on the latest cases involving geolocation data.

Consumers have succumbed to the lack of privacy they have, and have come to terms that they must give up their information to participate in society and remain relevant. They know their information is ‘out there’ and they are not getting it back. They know that short of living in a cave, this way of life will not change. Privacy is dead. A reckoning is coming in which consumers will search for companies that are responsible with consumer information. They are searching for companies they can trust. Only those companies that are proactive in re-imagining privacy will remain relevant, profitable, and future-ready for a reckoning that is coming.

There’s something distinctly wrong about waiting for things to go wrong, and then patching and fixing it after the fact. This is something that happens all the time when it comes to security of software applications. All too often, security is considered as an afterthought, or when you’re rolling around to quality assurance, and not when the actual development has taken place.

Determining the lawful basis for processing personal data can, at times, be confusing as the six lawful bases outlined in the GDPR can be interpreted (or manipulated) to make it fit for purpose. You can no longer avoid seeking consent to process personal data by simply including it in a contract.

Companies are so focused on collecting data because of its value that they often neglect something that is even more valuable because of its rarety - TRUST. This article discusses the four building blocks to earning trust, which will result in a company being more profitable, more relevant and future-ready for a data paradigm shift that is coming. When a company implements these four building blocks - Clarity, Culture, Craft and Communication - it will have a competitive advantage.

Software products, similar to vehicles, old houses, and technologies, eventually reach the point where the cost of rebuilding and refactoring becomes greater than the cost of rewriting and releasing under a newer platform, language, or architecture. During these sunset phases of a product, development is often ramped down, resources are reduced, systems are terminated, and focus is given to the new products, betas, and rollout efforts. The risk of neglect towards critical “life support systems” at these stages is high, particularly in the security space.

Many companies have some form of privacy program in place, whether it’s a very small program for an SME, to large complex governance plans for larger companies. Despite these maturities, there are some common blindspots you need to be aware of in the privacy space. This article breaks down three of the top unexpected sources of data we found while working with our clients.

A big risk facing many companies today is what is known as “purpose creep” or “secondary purpose.” This is when personal information is collected for one purpose but is also used for a different purpose. If the individual who provides their information is not aware of the secondary purpose or does not provide consent to use the information for that other purpose, it may result in misuse of personal information, which is a breach.

It sounds like a good idea. You’ve got a legal team on retainer, and they are completing a project for all your documents, so why not let them do your security and privacy documents too? Well, the fact is, Privacy and Security are specializations on their own, and this can lead to some pretty stark missteps in your policy implementation if they aren’t drafted to match your operations.

We have all heard about the privacy versus convenience dilemma. There is also a trade-off between security and convenience. More security controls add a layer of complexity (and dare we say inconvenience) to opening files, transmitting information, and sharing data with others, which does not always make for a seamless process or gain customer satisfaction.

Google is set to follow Apple in restricting cross-app tracking on its Android devices. Google’s Privacy Sandbox will lead to better ad privacy for users but will have a direct ad revenue impact on businesses. Having a trusted brand with a robust privacy program and a stellar value proposition can help businesses in this evolving landscape.

Classification of data within your possession is not necessarily something that a lot of companies (particularly smaller ones) think of, but the practice is becoming a regular requirement of security attestations and Data Processing Agreements (DPAs). Within the privacy and information security spaces, different types of information are treated differently, be it relating to how it is stored, or even where it is transferred (for example, there may be restrictions on transferring medical details outside of your country of residence).

The EU’s Data Governance Act promotes decentralized intercompany channels, opportunities, and data governance to enhance the EU’s data economy.