Podcast 54 Transcript: Privacy

Written by Ian Portsmouth

Ian Portsmouth: Welcome to the Business Coach Podcast, an advice-oriented series that tackles the top issues and opportunities facing Canada’s small businesses. I’m your host, Ian Portsmouth, the editor of Profit Magazine and we’ve developed this podcast in cooperation with BMO, Bank of Montreal.

Privacy rights are increasingly a matter of public debate and companies are legally required to protect the privacy of those they do business with, despite those facts, most business owners would place privacy protection far down their list of concerns and, in doing so, they could be putting themselves at significant risk of legal censure and reputational damage. To help entrepreneurs manage privacy issues, the Canadian Institute of Chartered Accountants has just published “The Canadian Privacy and Data Security Tool Kit for Small and Medium Enterprises.” One of its co-authors is Nicholas Cheung, Principal of Assurance Services Development for the Canadian Institute of Chartered Accountants, and he’s standing by to help us understand the why’s, what’s and how’s of privacy for small business. Nicholas, welcome to the Business Coach Podcast.

Nicholas Cheung: Thanks, Ian. It’s a pleasure to be here.

Ian Portsmouth: So tell me, what does privacy mean in the context of small business in Canada?

Nicholas Cheung: Well, privacy really refers to how personal information is handled within a business once it comes in the door. Businesses need to see themselves as custodians of personal information that they receive from their customers, and it’s the customers who own their personal information, not businesses. And that’s how businesses really need to see that information, that they are keeping it in trust for their customers.

Ian Portsmouth: And when you say customers and personal information, are we really talking about information about individuals or is information about companies considered private?

Nicholas Cheung: Well, as far as privacy law is concerned, we’re talking about personal information that relates to individuals. And what does this include? It includes the pretty obvious things like name, addresses, credit card numbers and driver’s license number. But the definition is actually broader than that, than most people realize, and they include health information and customer purchase information as well.

Ian Portsmouth: So, w hen did privacy become such a big deal for SME’s because I know that when I started in this business almost 15 years ago, we certainly weren’t thinking about privacy, companies weren’t talking about it.

Nicholas Cheung: Well, I think certainly it’s been in the news a lot more lately. A lot of people are more aware of the privacy breaches that have happened in major organizations, but I think privacy has always been important for SME’s, whether they realized it or not. And I think that the reason so is because of the closer and stronger relationship that many small businesses have with their customers. Customers often will choose smaller businesses because they expect friendly and better customer service than they might not otherwise get at another organization and, therefore, a closer bond may exist between these business and their customers. So protecting personal information from their customers means protecting their relationship with these customers. And that is why privacy is not only good for business, but it’s essential to maintaining that trust.

Ian Portsmouth: Nicholas, I think privacy issues really came to the fore for small businesses about five or six years ago when PIPEDA legislation came in. That of course is the Personal Information Privacy and Electronic Documents Act. What have been one or two of the key impacts, whether they were good or bad, on small and mid-sized businesses due to this legislation?

Nicholas Cheung: Well, I think that certainly it has put a new awareness about privacy, and I think one of the things that it has done is it’s compelled organizations such as SME’s to kind of codify or make more public about their own privacy practices, such as putting a privacy notice on their website and making sure that they adhere to it. But since that time, changes are being proposed to PIPEDA every year. Every five years it does come up for a review and one of the more significant proposed amendments to PIPEDA is regarding breach notification. Depending on the severity of the privacy breach, businesses might be required to notify the Federal Privacy Commissioner’s Office and/or customers that are affected. And notification to the Federal Privacy Commissioner’s Office would be based on criteria to be determined. But a danger here is, obviously, increased scrutiny by their office. So organizations would also need to assess whether customers should be notified. So many privacy professionals, unfortunately, now say it’s not if, but when a privacy breach may occur in an organization. So taking appropriate steps to strengthen your privacy practices is the best way to avoid a privacy breach.

Ian Portsmouth: So, how good are SME’s at obeying the privacy law and protecting their customers’ privacy? Are a lot of them in a position where there’s an accident waiting to happen?

Nicholas Cheung: In March, 2007, the Federal Privacy Commissioner’s Office actually did a survey, and it noted that that 29% of small businesses had not fully implemented clear privacy policies. And 24% had not fully implemented safeguards to privacy of personal information. So, obviously, that tells us that there’s a lot more that can be done in this particular area. And even 50% of businesses had only indicated a low-to-moderate awareness of their responsibilities under privacy legislation. So clearly there needs to be a lot more work done in this area. So that’s why the CICA saw an opportunity to produce a tool kit to help SME’s in this area. We recognize that SME owners are busy people and don’t have time to read a book cover to cover, and they’re busy with various issues such as economic crisis, and this is just one risk issue of many that they have to consider. So our tool kit is designed to make it easy for readers to pick and choose what they need to do and what they need to know to address the issues that they face. So we, essentially, tried to make it more efficient for business owners to address this particular risk area. So it includes self assessments on data security and privacy so that organizations can quickly pinpoint areas that might need improvement. And it even provides a sample privacy policy that can be customized. And whether realizations as to why this is such an important issue is the participation that we have received from the Federal and Ontario Privacy Commissioners. We have worked closely with them on this publication, and that kind of shows how important a business issue they believe this is to SME’s as well.

Ian Portsmouth: And where can SME’s get this new book?

Nicholas Cheung: They can go to our website at www.cica.ca/privacy or they can call our order department at 1-800-268-3973.

Ian Portsmouth: And now, Nicholas, in closing why don’t you give us the top three privacy best practices for SME’s. What should every company be doing in order to safeguard the privacy of their customers?

Nicholas Cheung: Well, it probably really boils down to these three things, I think, for, as far as SME’s is considered. One would be securing portable devices. And so what we’re talking about is securing laptops, USB flash drives, Blackberries. A survey was done and lost laptops and portable devices account for half of all costs of data breaches. In fact, a survey of UK dry cleaners revealed that in one year alone, they had collected 9,000 USB keys from laundry they had collected. So, obviously, you can see that there is a lot of potential for danger and harm from the loss of these particular devices. So businesses really need to ask themselves whether personal information really needs to be taken offsite. And, in fact, some jurisdictions have even commented that they will not consider the loss of a device that is encrypted to be a privacy breach. Another thing that SME’s should consider is buy a heavy-duty shredder. A lot of information comes into a company and a lot of times it ends up just in the trash or even in the recycling bin. So a heavy-duty shredder is really what’s required to dispose of this information securely. So we recommend a cross-cut shredder or, in the case of where your organization actually might have a large volume of personal information, to use an accredited third-party service if you can’t handle it all yourself. Now, the last thing is training your staff. Not only is this required by privacy law, but 63% of businesses actually report their staff have not received any training on privacy despite the fact that privacy laws require you to do so. Yet once a breach has occurred, training and awareness programs are the number one initiative that companies undertake to address their privacy deficiencies. So, obviously, if you’re going to have to result to the fact that you’re going to do a training program after the fact, why not be proactive and do that before the fact and save yourself a lot of grief? In our tool kit we actually provide PowerPoint templates in the tool kit to make it easier for SME’s to address this particular initiative. So you can just customize the PowerPoint presentation to your organization’s policies and practices and away you go.

Ian Portsmouth: Nicholas, thanks very much. We’ll be sure to pick up the tool kit and thanks for joining the Business Coach Podcast.

Nicholas Cheung: Thanks. It was a pleasure to be here.

Ian Portsmouth: Nicholas Cheung is Principal of Assurance Services Development for the Canadian Institute of Chartered Accountants and is also one of the co-authors of “The Canadian Privacy and Data Security Tool Kit for Small and Medium Enterprises.”

That’s it for another episode of the Business Coach Podcast. Be sure to check out other episodes, which you can download from BMO.com, profitguide.com and iTunes. If you have any comments or suggestions about the podcast, then please send them to me at ian.portsmouth@profit.rogers.com.

Until next time, I’m Ian Portsmouth, the editor of Profit Magazine, wishing you continued success.

Originally appeared on PROFITguide.com