Bell Business Insights newsletter

The risks you face are bigger than you think—an interview with Bell Privacy expert, Angela Power

Every organization has an obligation to safeguard the personal information of its clients and employees. Whether your organization is regulated by PIPEDA or another statute, the question you face is the same: How do you ensure that you manage private data in a way that reduces your exposure to risk?

To hear the latest about managing risks of privacy-related data, we talked to Angela Power, Director of Bell Business Markets Privacy Centre of Excellence, and learned that many organizations need to take a more comprehensive approach—and that the risks they face are bigger than most think.

Business Insights: There seems to be a lot of ambiguity about privacy and what responsibilities organizations have to manage private data. What are the biggest misconceptions that you encounter when talking to executives?

Angela Power: There are two big misconceptions. The first is what even constitutes personal data. Privacy in this context is 'the protection of an individual's right to control the collection, dissemination and use of his or her personal information or data', and we typically think of personal data as names, email addresses, health records and the like. But organizations need to safeguard any data that could directly or indirectly identify an individual, including publicly available information, like telephone numbers. That is a broader definition that most organizations typically apply.

The other big misconception is that once you have put security measures in place, you have effectively addressed privacy risks. Privacy and security are actually quite distinct. Security processes aim to maintain the integrity and confidentiality of all data, including business data, while privacy is about ensuring that specifically personal information is collected, used and disclosed in appropriate ways. Privacy requires different considerations and different approaches than security in order to ensure that individuals' rights are maintained.

BI: Many organizations think privacy legislation lacks teeth. What are the potential ramifications of a breach?

AP: There are many ramifications that result from breaches. Regulators do have the ability to enforce recommendations in order to ensure that organizations or companies comply to the rules set by privacy law. The potential ramifications go way beyond just fines. There are the costs of determining what went wrong, rectifying the situation, and informing the people whose privacy has been compromised, plus any financial compensation that may need to be awarded. A privacy commissioner could perform an investigation and issue public reports. By far the greatest potential damage is to companies' public reputations. Sales can take a hit and so can investor confidence. Privacy violations can devastate the public's sense of trust in the company or institution. That's the real risk organizations face.

BI: What are Bell clients currently doing to safeguard privacy data?

AP: We've been working with clients, mostly in healthcare and government, on using various tools including privacy risk assessments, privacy gap analyses and recommendations surrounding privacy management frameworks. Many clients have implemented an assessment solution we developed that automates privacy assessments for cost-effectiveness and generates recommendations and reports that organizations can mine for greater insight. For example, the Public Health Agency of Canada now uses the Bell Privacy Manager to conduct all privacy impact assessments. It's a useful tool that saves time and money. There's also an emerging class of data de-identification software emerging that masks personal data from being identifiable, but still allows an organization to mine and use the data.

BI: How do you see companies' approach to managing private data changing?

AP: Privacy breaches have been making the front page more often, and thanks to the public efforts of Canada's Privacy Commissioner to improve the practices of Facebook, Google and others, there is greater awareness. But the whole field of data privacy is still really in its infancy. Privacy protection needs to be built into the design of all new systems that are created to capture or handle personal information. Check out the Information and Privacy Commissioner of Ontario's Privacy by Design site for a useful guide to embedding privacy proactively into technology. While government and health agencies are actively assessing how they mange private data, it's time that the private sector gets serious too. You would be surprised how few organizations actually step back and think about all the information that they are collecting, how it's being used and how they safeguard it.

BI: Where should companies start?

AP: When you think of data risk and its relation to privacy, think in broad terms: paper, electronic, video, telephone calls that are recorded. Assess what information is being collected and what's being done with it. It's important to consider how your organization handles private data and that requires a deeper analysis of more than just the general security measures that protect all data.

About Angela Power

Angela Power is the Director for the Privacy Centre of Excellence at Bell Canada. She has worked to address specific privacy issues within healthcare, education, finance, and telecommunications fields, as well as large cross-departmental IT initiatives. In addition, Angela trains public bodies on their privacy obligations under the applicable legislative regimes across multiple provincial/federally regulated landscapes. She specializes in privacy solution development and implementation, privacy impact assessments, privacy policy development, and privacy breach protocol development.

Want to learn more about managing data risks?

Download these valuable resources:

Risk assessment: 6 essential questions to ask about your data – A guide to understanding how you really store, share and use data

The secret to successful data risk management – How three critical factors reduce risks in-house, in the cloud and anywhere in between