01 - Home
Privacy Management Program - Build Consumer Trust
Helping organizations implement ethical, customer-first privacy programs.
01 - Home
Your Fractional Privacy Officer
Get the strategic privacy guidance your organization needs with the flexibility and affordability that makes sense for your business.
01 - Home
Personal Data Mapping
Understanding what data your organization uses is fundamental to any privacy program.
01 - Home
Vendor Privacy & Security Audits
Our comprehensive vendor privacy & security audits systematically examine how your third-party partners handle personal information under your stewardship.
In-Depth Privacy Knowledge
From the Genral Data Protection Regulations (GDPR) in the EU and UK to the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canadian Anti Spam Legislation (CASL), we have worked in many sectors to implement improvements to Privacy Management Programs.
Proven Processes
Our compliance roadmap is based on simplicity and is designed to tackle the priorities with urgency. With a clear and proven process we waste little to no time bringing your organization into compliance.
No Red Tape
We issue a clear and complete statement of work and a simple one-page contract designed to manage expectations of all parties.
Project Based
We only get paid when we are producing value for your organization. We hate retainer fees. Same applies to our sister company - LACKEY Advertising.
// Privacy Bill
Quebec Has Changed Canada's Privacy Landscape
Do you know your organization has many new obligations regarding privacy and data protection?
If your organization operates across Canada, chances are your database consists of 20-25% Quebec residents. Law 25 applies. And it has started coming into force. Now, the highest authority in the enterprise is in charge of all personal data collected, used, stored, shared and secured by that organization.
Quebec's Law
5
If your organization operates across Canada, chances are your database consists of 20-25% Quebec residents. Law 25 applies. And it is in full force. Now, the highest authority in the enterprise is in charge of all personal data collected, used, stored, shared and secured by that organization.
CASL | QUEBEC Law 25 | PIPEDA | CCPA 2018 & CPRA | GDPR
// 03 - Our clients
We have worked with large and small clients in a variety of sectors
A PRIVACY AGENCY
We are privacy specialists with a strategic marketing background. We can help create new, compliant practices that perform.
0
# of Articles in the GDPR
0
# of Recitals in the GDPR
Frequently Asked Questions
We help organizations implement Privacy Management Programs. We work on clearly scoped projects with specific timelines and budgets. Our objective is to re-build trust with your primary audience, by ensuring all practices are ethical and "for the consumer".
General Data Protection Regulations (GDPR - EU and UK)
The Personal Information Protection and Electronic Documents Act (PIPEDA - Canada)
Canadian Anti Spam Legislation (CASL - Canada)
Telecommunications Act (Canada)
Act respecting the protection of personal information in the private sector (PPIPS - Quebec)
Freedom of Information and Protection of Privacy Act (FIPPA - Ontario)
Personal Health Information Protection Act (PHIPA - Canada)
California Consumer Privacy Act of 2018 (CCPA - California)
We recommend documenting your current practices via a thorough Privacy Review. The best platform to use is Safeguard Privacy which allows you to answer questions and determine your % compliance against a particular law. Contact us to arrange a demo.
Yes. We have scoured the internet to find THE best of breed automation tools that serve specific purposes and help you implement a Privacy Management Program with the least pain.
According to Baker Mackenzie - Data protection authorities in Canada are not obligated to cooperate with data protection authorities from within or outside Canada; however, there are a number of discretionary legal instruments that enable them to do so, as follows.
- The OPC reserves the power to consult with provincial privacy regulators in Canada to coordinate the activities of its office and to handle complaints of mutual interest. The OPC also has the power to cooperate with data protection authorities in foreign states. This power allows the OPC to share information that is relevant or could assist with an ongoing or potential investigation or complaint.
- Privacy regulators in Canada may use a Memoranda of Understanding with foreign data protection authorities, which does not mandate but encourages cooperation based on a common understanding.
According to Baker Mackenzie - Federal and provincial privacy laws provide administrative sanctions and criminal consequences for non-compliance with and breaches of privacy laws.
PIPEDA provides that it is an offence to knowingly infringe statutory and regulatory breach reporting and notification obligations, which generally require a person or business to report an incident to the OPC involving unauthorised access to or disclosure or PI that has the potential to create a ‘real risk of significant harm’ (RROSH) to one or more data subjects impacted by the incident and to notify individuals that may have been impacted by such an incident as soon as is feasible. Failure to report an RROSH incident or to notify affected individuals can result in an indictable offence and gives the OPC power to impose a fine not exceeding C$100,000.
Under the Alberta PIPA, the Alberta OIC can impose a fine not exceeding C$100,000 for failure to report a prescribed privacy incident or to notify affected individuals. Under the Quebec Act, the Quebec CAI can impose a fine not exceeding C$25,000,000 or 4 per cent of the business’ worldwide turnover for the preceding fiscal year for failure to report a prescribed confidentiality incident or notify affected individuals.
According to Baker Mackenzie - Privacy laws in Canada do not cover all sectors; the specific scope of a privacy law depends on the law itself and whether it falls under federal or provincial jurisdiction. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to an organisation that collects, uses or discloses PI in the course of commercial activities (eg, not-for-profit or charitable activities could be excluded) or where such activities relate to an employee or applicant for employment in connection with the operation of a federal work, undertaking or business. PIPEDA may not apply to the collection, use or disclosure of PI from employees in a non-federally regulated sector.
According to Baker Mackenzie - There are federal and provincial laws that govern the interception of communications and the electronic monitoring and surveillance of individuals. With respect to interception, Canada’s Criminal Code makes it an indictable offence, punishable by up to five years in prison, to knowingly intercept a private communication by means of any electro-magnetic, acoustic, mechanical or other device; however, the Code recognises that interception may be permissible with the originator’s consent. The Criminal Code also gives law enforcement the power to access private communications in certain circumstances, generally where they have obtained a valid warrant or judicial authorisation.
Ontario’s Employment Standards Act 2000 requires employers with 25 or more employees in the province to have a written electronic monitoring policy that informs employees about the means of electronic monitoring and purposes for such monitoring.
According to Baker Mackenzie - Canada’s Anti-Spam Law imposes obligations on persons and businesses that send commercial electronic messages (CEMs), which are electronic messages, in any form, that are sent for a commercial purpose (eg, marketing emails or messages sent to a person’s social media inbox). Generally, a business is required to obtain an individual’s express consent before sending them a CEM, unless a limited exception applies that would allow the business to rely on implied consent (eg, in circumstances where the recipient of the CEM is a prior or existing customer). CEMs must also contain an unsubscribe mechanism.
The Office of the Privacy Commissioner of Canada (OPC) has also published guidance on online behavioural advertising and the use of cookies, which sets out the conditions under which implied consent to online behavioural advertising can be considered acceptable. The guidance also generally prohibits the use of certain types of cookies and generally prohibits the tracking of children and tracking on websites aimed at children. In the context of behavioural advertising, data subjects must be given the ability to decline tracking technologies (eg, use of cookies).
According to Baker Mackenzie - Federal and provincial privacy laws cover a wide range of PI, including any information, irrespective of format (eg, recorded, audio, video, or otherwise), which creates a serious possibility that, alone or combined with other information, a natural person could be personally identified.
According to Baker Mackenzie - All processing of PI is covered, although the duties and responsibilities differ between those that control the PI and those that process the PI. Those that control the PI, which are generally the organisations that own the PI or for whom the PI was initially collected, are accountable for such PI under PIPEDA, Schedule 1 (Fair Information Principles). Included in the Fair Information Principles is the requirement to ensure through contractual means that the PI receives adequate protection if it is transferred to another entity, such as a service provider, for processing. Service providers or processors are, therefore, not held accountable directly through PIPEDA but through contractual agreements with the organisation that controls the PI.
