Q&A with Ray Pathak, MD The DPO Centre, Canada
The Personal Information Protection and Electronics Act (PIPEDA) was enacted in April 2000. Since then, there have been significant changes in global data protection and technological advancements, necessitating amendments to Canadian federal legislation.
The Digital Charter Implementation Act, 2022 (also known as Bill C-27) is the proposed update to PIPEDA. It is currently under consideration in the Senate. If enacted, the new law will require organizations to prepare for stricter regulations and increased enforcements.
Here, we talk to Ray Pathak, a former Privacy Officer with over 15 years of Canada privacy experience and MD of The DPO Centre Canada. He sheds light on some of the current challenges faced by Canadian organizations, keeping in mind the potential law changes and the evolving role of privacy professionals.
Ray, can you tell us a little bit about your background?
I’ve been in the privacy space for almost 20 years. From 2005-2015, I was a Privacy Officer, leading a wide variety of privacy programs. For the last 8 years, I have been leading and developing privacy solutions in the Privacy Tech sector.
I’m privileged to now lead The DPO Centre’s Canadian office, where I work with organizations to help guide them through the increasing complexities of local and international privacy regulations.
What are the key privacy challenges currently faced by organizations in Canada?
With so many evolving global privacy laws, organizations operating across multiple jurisdictions face ongoing challenges to keep up with the changes.
Canadian organizations must adapt to new legislation such as Quebec’s Law 25 and the potential federal changes, as and when Bill 27 passes.
In addition, emerging technologies like AI have introduced new privacy challenges, including the risk of breach threats with sophisticated attacks, and an increase in state sponsored attacks.
With the upcoming changes in Quebec’s privacy legislation, what should businesses do to prepare for compliance with Law 25?
Law 25 is being implemented in stages.
Stage 1 came into effect on September 22, 2022, and covered the mandatory designation of a Privacy Officer and Privacy Impact Assessments (PIAs).
Stage 2 came into effect on September 22, 2023, focussing on Accountability, Consent, Transparency, Individual Rights, and other key principals of privacy management.
Stage 3 will come into effect on September 22, 2024, and deals with data portability rights.
Businesses should complete a gap assessment of their current programs and adapt their policies, procedures, and data handling practices to ensure they comply with the stricter obligations under Law 25. Key areas to address will be Consent, PIAs, and cross-border transfers.
Do you think there will be changes to other provincial laws?
With changes already in place in Quebec, and proposed changes to the Federal privacy law, I think it will only be a matter of time before the Alberta and British Columbia laws are amended.
Also, the province of Ontario has been talking about introducing their own privacy legislation for some time, and I believe the introduction of this is inevitable in the next two to five years.
How do Canadian laws regulate the use of AI systems?
There is currently no single comprehensive law that deals specifically with AI in Canada.
The Artificial Intelligence and Data Act (AIDA) was introduced in June 2022 as part of Bill C-27, which advocates a risk-based approach to AI systems.
There are other sector laws that touch on AI within their domains, such as healthcare and finance, and PIPEDA can be applied to cover AI systems that collect, use, or disclose personal information. However, none of these laws are tailored to AI, and they fail to address the unique privacy challenges that come with these technologies.
How do provincial laws like those in Alberta and British Columbia interact with PIPEDA?
PIPEDA is the overarching privacy law for private sector companies that collect, use, or disclose personal information in Canada.
However, when processing data in a province with its own privacy law, such as Alberta, British Columbia, or Quebec, the provincial law applies over the federal PIPEDA law.
Most organizations operate across multiple provinces and may need to comply with up to four privacy laws – three provincial laws and the federal regulation.
The good news is that provincial privacy laws have to be substantially similar to the federal privacy law, which ensures a certain amount of consistency for compliance. Although, there are still some significant differences, such as employee privacy, which is covered under provincial privacy laws for most private organizations, but not the current federal PIPEDA law.
What would you say the greatest challenge is for the privacy industry at the moment?
The limited number of knowledgeable privacy professionals is a big challenge for organizations, especially if they only require part-time support. This can often lead to privacy being managed reactively, and as a secondary priority, by someone fulfilling another role within the company.
That’s one of the key reasons why I joined The DPO Centre. We have an incredible pool of talent and a commitment to excellence. We’ve worked with over 900 organizations globally since 2017, and we can offer unparalleled support to organizations, providing in-depth privacy knowledge and expertise.
What are some common misconceptions about the data protection industry? How do you deal with them?
The biggest misconception is that you can “complete” your privacy program, tick the box, and be done with it.
However, if an organisation processes and stores personal data, there is a continual need for ongoing data management. It is one thing to adhere to a set of policies and another to truly safeguard data and ensure practices and processes are monitored and optimised.
Organizations with strong privacy governance and embedded privacy by design practices are better equipped to mitigate risks and build customer trust, loyalty and engagement.
What range of privacy services does The DPO Centre Canada offer?
Our Canadian team offer the same full-service privacy support that our clients benefit from the UK and EU offices, with the appropriate changes to accommodate Canadian privacy standards.
Canadian Data Privacy Officers are available to assess, remediate, and operate your privacy program on an ongoing ‘fractional’ basis, provide ad hoc consulting support as required, and complete mandatory documentation such as Privacy Impact Assessments (PIAs).
We also provide EU and UK GDPR representation for Canadian companies operating in the European Economic Area (EEA) and/or the UK. A GDPR Representative is a requirement for organizations that process the personal data of EEA or UK individuals but do not have a physical office in those jurisdictions.
With the rise of global data protection laws, how does The DPO Centre Canada ensure multinational compliance?
Many Canadian businesses are aiming for international growth, and privacy can be a significant roadblock as they expand.
The DPO Centre, has one of the largest teams of privacy experts available. Our DPOs are highly experienced privacy professionals, each with specialist industry sector knowledge and a deep understanding of global privacy laws.
Therefore, we help organizations ensure that privacy isn’t a barrier as they grow globally.
How do you foresee the future of privacy services evolving over the next five years?
I think we’ll see a continuing shift towards regarding privacy, not merely as a legal obligation but also as a key aspect of customer service and relationship management.
We already work with organizations that understand privacy compliance is only a baseline requirement, especially in business-to-business industries. They recognize the potential for accelerated growth by leveraging excellent privacy practices that build trust, loyalty and engagement with their customers. It is therefore a crucial differentiator, helping them stand out from their competitors.
As Canada’s privacy regulations evolve, our commitment to delivering top-tier privacy services continues. Supporting and empowering organizations to navigate complex legislation with confidence and integrity.
The DPO Centre Canada
If you would like to discuss how our outsourced privacy services can help support your organization’s privacy governance, please contact The DPO Centre Canada team
For EU and UK data protection support, please see our range of EU/UK services
See also our recent blog, offering advice and guidance to support compliance with Quebec’s Law 25