In our previous publication, we discussed the legal obligations and procedural issues of record keeping in privacy matters. While specific obligations vary by jurisdiction, maintaining a record that tracks privacy matters is a legal obligation for private sector organizations subject to Quebec, Alberta or federal laws. Organizations should be aware that sector-specific legal obligations may also apply, for example in the healthcare or financial services industries.
In this post, we’ll discuss the practical benefits of a good privacy breach record keeping program.
Risk management and mitigation
Regulators are now well aware that it is not a matter of “if” but “when” an organization will experience a privacy breach. Since the start of the pandemic, external threats have increased dramatically and no one is immune. In this environment, privacy breaches are a recognized risk for every organization and businesses must demonstrate that they are taking steps to mitigate that risk, in the same way they manage other risks to their operations. Risk assessments are very reliable when tracking violations; Organizations can understand the root causes of past violations and take steps to correct existing issues.
Likewise, a track record of corrective actions and improvements to existing privacy compliance programs demonstrates that an organization is committed to improving their practices and remaining at the forefront of industry standards in privacy.
M&A and Securities Law
Keeping records of privacy issues is appropriate from both a buyer’s and seller’s point of view in an M&A context.
For a buyer, privacy records provide valuable information about the seller’s privacy management structure. In fact, if a seller fails to provide such records or provides incomplete or incorrect records with legal obligations, this may indicate non-compliance with the general legal requirements. A buyer should conduct due diligence to identify and evaluate any privacy and data compliance issues. Similarly, having a robust breach record-keeping program will increase buyer confidence and avoid negotiating offers based on discounts or privacy compliance risks. In addition, buyers should consider the content of the records. For example, if the records show multiple privacy issues or multiple similar incidents, this may be a sign of general deficiencies in the seller’s privacy training or management, which may require the buyer to spend resources after closing to correct these deficiencies. .
From the supplier’s perspective, developing accurate and detailed records of privacy issues during the due diligence review process demonstrates a well-organized approach to regulatory compliance, which helps build buyer confidence and minimizes delays. Conversely, inadequate record keeping may prompt the buyer to reevaluate the property or request additional representations and warranties, while missing records may prevent the seller from making representations regarding personal matters, thereby increasing their liability after closing.
Increased reporting requirements for public companies is another reason businesses need to monitor privacy breaches; Managing and mitigating risk will reduce breaches over time, thus reducing the need to file reports with security regulators.
Contract requirements and evidentiary purposes
Finally, organizations should consider whether they are required to document privacy issues under contractual requirements. For example, organizations that process personal data on behalf of other parties under a Data Processing Agreement (DPA) may be contractually required to keep a record of any incident involving the data they process under the DPA. In general, any organization that enters into agreements regarding the transfer or processing of personal data should be carefully scrutinized to ensure that they are meeting their obligations to record those agreements.
Additionally, there are instances where regulators have followed privacy concerns, records of past incidents, and corrective actions as part of their analysis. For example, the Office of the Privacy Commissioner of Canada, in its investigations, has reviewed changes implemented by an organization following a privacy incident to determine whether additional recommendations are needed. Similarly, records of privacy issues can be useful in litigation defense, as evidence of what measures have been implemented to mitigate risks. As class actions arising from privacy issues are on the rise, businesses must ensure that they have adequate means of proving that measures have been taken to minimize harm to individuals who may be harmed by the incident.
In the coming years, maintaining appropriate records of privacy issues for Canadian organizations, especially given recent legislative changes, will expose organizations to significant fines if they fail to comply. With the ever-increasing number of privacy incidents, it will be fundamental to be able to demonstrate how organizations have experienced and responded to them.
The authors would like to thank law student Marilu Butti for her assistance in preparing this blog post.
