Q&A: Jennifer Stoddart – Former Privacy Commissioner of Canada

Canadian Security spoke with Stoddart to get her take on privacy today and how Canadian businesses should prepare for cyberthreats. This is an excerpt from that conversation.

Canadian Security: How has privacy changed since you were commissioner?

Jennifer Stoddart: I think the trends have intensified [but] I don’t think there’s anything drastically new that wasn’t being evoked five years ago. But what I’ve noticed now… is how anxious people seem to be about their privacy… There was a good chunk of Canadians who were anxious, but the whole intensification of the scene between what can happen, cyberbreaches, cyber predators… and then the reaction of the government, not only here but in the European Union and elsewhere [like] California to try to contain this. It’s making a perfect storm of privacy anxiety.

CS: What is your opinion of the new breach notification legislation that came into effect in November as well as GDPR legislation in Europe?

JS: That’s a big game changer. We knew both were coming for a long time. But it requires much more attention on the part of organizations as to what they’re doing with people’s personal information. As you know, in Canada, they have to do data breach reports. This is the most stringent Canadian legislation we’ve ever seen.

The GDPR is a game-changer with these huge fines that are possible. [There are] quite stringent requirements in terms of investing in privacy and security. It’s really pushed data protection and security way up the regulatory chain of attention for organizations.

CS: Are Canadian organizations where they need to be in order to comply with the latest privacy legislation?

JS: Well, we’ve know about this for a while, but I gather from the lawyers here at Fasken that a lot of organizations are very busy, because they didn’t have anything like this before. Not only do they have to report significant harm but they have to keep records of data breaches. I gather that a lot of them are scrambling to put this in place.

CS: What about smaller companies that may not have the resources to appoint a privacy officer?

JS: This has always been challenging. PIPEDA requires that people have somebody in charge of protection of personal information.

If you’re a very small firm, either you can outsource it or you ask somebody to multi-task. Small firms have to look for somebody who’s really interested in this and wants to keep up with the field. They should spend a small amount helping them to follow the major trends. I don’t think you can just put your HR person in charge of this overnight and expect that will do the job. It’s an investment, I think.

CS: Given the large number of privacy breaches that are happening, should businesses view them as inevitable?

JS: Can I push back on that on principle? I think organizations can be passive and say, “Oh well we’ll probably be breached one day.” I think that’s a really, really dangerous attitude to have. If we go back to the big TJ Maxx breach — and there are ones that are even bigger that are happening now — I would say, don’t say it’s inevitable we’ll be breached. In the public and private sector, there are [organizations] that probably haven’t been breached or can be breached in a relatively minor way — which is why the new regulation says there has to be a harm factor. I would say, take that as an attitude. “What can I do to lessen the ability to be breached… or if I am breached, it’s a superficial breach.”

CS: Not to suggest that businesses are complacent, but there seems to be a prevailing sentiment that it’s getting really tough out there.

JS: I would agree with you there. It is getting more challenging, but I think attitude counts for a lot. If you’re up to date and you’re got a good procedure and you know what can happen in event of a breach, you can lower your risk. You can’t eliminate it, but you can certainly minimize it.

CS: What do you hope to accomplish in your new role at Fasken?

JS: This is a firm I’ve known for a long time. Almost 30 years. I was working in Montreal a long time ago. I hired people from both their Montreal and Toronto offices to do work and to write publications that were published by the Office of the Privacy Commissioner, so they’ve certainly got their credentials. I am an advisor, advising on general directions of files. What I hope to accomplish is to be able to continue to work in this area [and] help to make data protection more effective for Canadians.

This story was featured in the Winter 2019 edition of Canadian Security.