This article was originally published by Les Affaires.
As of Sept. 22, 2022, some 220,000 businesses operating in the province of Québec must have a privacy officer. There are no exceptions. The person with the highest authority within the organization automatically assumes this responsibility unless it is delegated to somebody else. However, there is still time to find the person best suited to this new role.
Most companies have long had a chief technology officer (CTO). The chief information security officer (CISO) is a more recently established position. Organizations operating in Québec will now have to contend with a new executive: the (Chief) privacy officer (CPO, aka as DPO or data protection officer in Europe). Who is this person? What do they do? Where do they fit in? Why them? These are all good questions. As is often the case, there are no easy answers.
The (very) long arm of the law
It started almost a year ago to the day. Québec Bill 25, An Act to modernize legislative provisions as regards the protection of personal information, was passed with great fanfare. The objective was clear: to modernize privacy laws at all costs to respond to recent developments, catch up with technological advances and align with European regulations. Québec must become (once again) a privacy leader. The ends justify the means, including stricter and more prescriptive rules than those of the European Union and, of course, its neighbours in the rest of Canada.
The new role of privacy officer is a good example. In Québec, any business, regardless of size, resources or area of activity, has an obligation, if it handles any personal information whatsoever, to assume the role of a privacy officer or to delegate the role in writing to a specific person. In other words, a convenience store in a remote region of Québec must protect its customers' data to the same extent as a multinational technology company must protect its users' data. In the European Union, on the other hand, only companies that handle "sensitive" or more intrusive personal information on a large scale are required to designate a data protection officer (DPO). This role is therefore neither automatic nor systematic within the European Union.
Some people might play down or shrug off this development by telling themselves, "It's one more hat to wear. It's not the first or the last. It's just one more hat that could sit around and gather dust without anybody noticing." Nothing could be further from the truth. The privacy officer has many duties and responsibilities, including approving privacy policies and practices, participating in privacy impact assessments, and helping assess harm caused by a confidentiality incident. Above all, the Privacy Officer is the person everyone turns to when there are data or privacy protection issues that can quickly become real problems.
You can never be too careful
As a result, Parliament drafted a job description that includes the duties and responsibilities of a privacy officer. Now organizations must fill that vacancy—and this is where things get complicated.
Which internal resource should take on this role? It depends. Often it should be whoever works the most with the company's data. How do you train them? It depends. No specific qualifications are required, but the person should at least have some knowledge of Québec's privacy regime. How independent should this person be? It depends, but they should not be a mere puppet. What's the budget for this position? It depends, especially on company growth and the resources available for information security. Could somebody outside the organization be recruited? It depends. The market is still in its infancy and, as the European example shows, is not expanding. Can this role be outsourced? It depends. That's definitely an option, and there are advantages and disadvantages.
One thing is for sure—companies must publish the privacy officer's title and contact information on their websites. If a company does not have a website, it must make this information available by any other appropriate means. The privacy officer's information must be a part of the public record. That's a legislative requirement as of Sept. 22, 2022.
It is now up to all organizations operating in Québec to onboard the new privacy officer, keeping in mind that it is not the role that makes the officer, but the officer who brings substance to the role.
Should you have any questions about your company's privacy officer, please feel free to contact a member of our Quebec Cyber Security & Data Protection Group.