Privacy should be a priority for all manufacturers: commissioner

Collecting order and payment data from clients is crucial to running a successful business, but in today’s digital age it’s incumbent on manufacturers of all sizes to keep that information secure.

“If (manufacturers) are dealing with personally-identifiable information—by that I mean names and addresses of customers (or) any identifying information—then you have to care about privacy,” Ontario’s Information and Privacy Commissioner Dr. Ann Cavoukian says.

“It’s that process of data linkage to identifiable individuals that means that any information you have in your database is in need of protecting in terms of privacy,” she says, adding payment information like account or credit card numbers are data that must be protected.

In her new paper, Operationalizing Privacy By Design: A Guide to Implementing Strong Privacy Practices, Cavoukian outlines the actions organizations need to take in order to ensure success in implementing privacy regulations.

According to Cavoukian, there is a distinct competitive advantage for businesses that embed privacy practices in their day-to-day operations.

Clients tend to respond well to those operating with such a mandate.

“Customers just love companies and organizations that protect their privacy,” Cavoukian says.

While the notion of a privacy breach is often associated with computer hacking, Cavoukian stresses that most incidents are nothing more than innocent errors that could carry major consequences.

“A lot of times it’s a data breach associated with a customer order or a list of customers … that somehow is being sent from one entity to another and it goes out into the open (and) gets accessed in an unauthorized way or it’s sent to the wrong third party,” she says.

“That’s why we say you have to be so vigilant in terms of the ease of which information can be shared and exchanged.”

Many provinces, including Ontario, lack privacy legislature for the private sector, however the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs all businesses in the country.

The consequences of a privacy breach under provincial or federal law can be severe—including federal court proceedings—but some losses outweigh others.

“More than the regulatory aspects, the loss of consumer confidence and trust I think is the biggest issue,” Cavoukian says.

To combat potential breaches, she says it’s important to review internal operations to ensure safety measures are in place.

“If you’re a really small company, my advice would be to take a look at the lists of customer records that you have and only use the information that (is) associated with those lists for the primary purpose,” she said.

A small business should consider buying a privacy impact assessment tool or hire an expert to conduct such an assessment.

Another tool firms can use, according to Cavoukian, is what’s called a data map—a checklist, of sorts, that maps where all personally-identifiable information goes.

“The cost of doing this at the front end pales in comparison (to) what it would cost you at the tail end if you have a data breach,” she says. “Because then, not only are you going to be in breach of some privacy law, but you’re going to lose customer confidence, you’re going to lose your customer’s trust and you may have considerable damage to your brand and your reputation, not to mention financial costs.”