When someone's personal data is lost or stolen, major problems ranging from difficulty accessing personal records to identity theft can occur. To help prevent these things from happening, the law places certain data protection responsibilities on companies like yours when you collect personal data from customers and employees. Non-compliance with these data protection responsibilities will cost your company, so it's important that you adhere to them. That being said, here are the most important responsibilities that you need to keep in line with, according to regulations set forth by the Office of the Privacy Commissioner of Canada:
You must have a specific reason for collecting personal data
The less data you have, the less that can be lost or stolen in the event of a data breach. As such, the law prevents you from arbitrarily collecting personal data "in case you need it." Instead, you are required to only gather the bare minimum amount of data you need to complete a task. Anything more is unlawful, so be sure that you can effectively explain why you have collected each piece of data that you gather – especially extremely sensitive information like a Social Insurance Number.
You must actively secure personal data
Once you have decided what data you need, you must closely guard all of it. This will be your front line of defense against data theft. Physical versions of data should be placed under lock and key in a secured location; digital versions should be encrypted on multiple levels, including in their file and whenever they are shared.
You should also enact an information security policy within your business that will prevent your employees from accidentally taking steps that reduce your information security.
Your records must be accurate
When gathering personal information about people, it is extremely important that the data you have is accurate. You should have a system in place that allows you to quickly update a customer's or employee's individual record in real time as their information changes.
You must clearly communicate with people whose data you use
When someone shares their personal data with you, they may not completely understand what you will be using it for – even if you have already told them. If someone believes that you are using their personal information in a manner that they did not agree to, then there will be a major problem. Be sure to do away with any industry jargon, and clearly communicate the exact reasons that you are collecting a person's personal data to prevent this from happening.
Make sure that you have clear consent to use personal data
Before you use someone's personal data, you want to make sure that you're allowed to in the first place. Even if you feel as though you gained consent, you could be perceived as a data thief if you cannot prove it. When you are collecting data, explain why and how you will be using it in writing, and have your customer or employee sign forms stating that they have given you consent to use their information.
You must get rid of personal data when you are done with it
As we mentioned earlier, the less personal data that your company has, the harder it is for a data thief to steal anything important. When you are finished using someone's personal data, you must immediately destroy that record. This immediately reduces the likelihood of it being stolen to zero.
Is your business properly protecting data?
You must adhere to these data protection responsibilities to protect both your company and the owner of the data you are using.