STRATEGY AND POLICY

Strategy and policy are at the heart of any effective information management program, whether or not it is privacy-focused. Without an effective strategy and pragmatic policies and procedures to govern information management operations, the organization is virtually certain to suffer from privacy breaches and other failures of information management. Strong privacy policies and procedures are critical for compliance with any privacy law.

Excela Associates can assist you in the development of privacy strategy, policy and procedures for any public or private sector organization, regardless of its jurisdiction, industry or size. Excela's president and associates have long experience in the development and implementation of strategy, policy and procedures for privacy protection and other aspects of information management.

We have developed privacy policies and strategies for clients in Alberta, Saskatchewan, Manitoba, Ontario and Newfoundland and Labrador, in the public, healthcare and private sectors. We have also assisted Alberta's Office of the Information and Privacy Commissioner in the development and implementation of privacy impact assessment standards for that office.

Insofar as privacy compliance is concerned, we are experienced in the interpretation of all privacy legislation in Canada.  We are experts in the implementation of privacy practices in sensitive areas of business operations, including security, contracting, human resources, marketing, customer relationship management, data mining and others.

We can also assist Canadian organizations that need to address compliance issues associated with the EU's General Data Protection Regulation (GDPR).  The GDPR requires more stringent privacy protection measures than any Canadian legislation and has stiff penalties for noncompliance, ranging up to 4% of global revenues.

Canada currently has adequacy status for the Personal Information Protection and Electronic Documents Act (PIPEDA). That means that PIPEDA compliance is currently considered by the EU to be adequate for compliance with EU privacy law. That said, many doubt whether that status can be retained under the GDPR  at such time as Canada’s adequacy is reviewed, unless Canadian law is strengthened in the meantime. A review is expected within the next two or three years, if not before.

Canadian organizations doing business with EU citizens need to plan for the GDPR; those that do not may eventually find it hard to do business with EU residents. We can help you develop the necessary policies and procedures.