Data Protection in Québec, Local Experts Voice Their Opinion (Part 2)
In this series of blog posts, I will relay information I collected from interviewing some of the most prominent leaders on data security and privacy in Québec. These experts have different backgrounds, expertise, and job titles. However, they all provided insightful thoughts on data protection. With the data protection and privacy laws getting more and more prevalent and stringent, practitioners and leaders may have a hard time focusing on what truly matters. I wanted to write this series to provide value to colleagues in the industry. At the end of the day, it’s always good to hear what others are doing and, more specifically, leaders in the domain. Hopefully this series provides ideas that can lead to the development of better policies and practices in your respective organizations.
In this next installment of this series, I had the honor of speaking with Jean-Francois De Rico, Partner, Risk Consulting, Cyber security, Québec Leader for Privacy at KPMG, and Eugen Miscoi, Associate at McCarthy Tétrault.
Eugen Miscoi and Jean-Francois De Rico both offer nuanced views on how seriously businesses take data protection laws like Québec’s Law 25 and the GDPR. Eugen points out, “The response depends on each organization’s risk tolerance,” highlighting that while some pioneers took early steps towards compliance, others prefer to wait and see if — and how — regulators plan to enforce the new requirements before taking concrete steps towards compliance. Jean-François suggests that compliance is more common among already regulated sectors like financial services, but “a majority of businesses have not yet undertaken efforts to strengthen their personal information protection practices”.
On the subject of underutilized controls, Eugen champions the importance of data inventories and clear mapping of data flows as foundational to security and privacy programs, stating, “You have to see the whole forest before you can focus on specific trees — without a good data inventory, organizations will be relatively blind in building their privacy program”. Jean-François emphasizes the need for clearly defined responsibilities, access minimization, and retention reduction as crucial but often overlooked practices.
Regarding the publication of companies that have had a confidentiality incident (The CAI is a public body and falls under the Act respecting Access to documents held by public bodies and the Protection of personal information) , both experts see potential in using such information for third-party risk management. Eugen notes, “In theory, yes,” but he has yet to see it applied in practice, cautioning that the absence of incidents doesn’t necessarily indicate robust security and that, vice versa, the fact that an organization experienced a breach in the past does not automatically imply that it is not otherwise compliant with applicable privacy laws. Jean-François argues that organizations should “systematically validate whether a potential supplier has suffered one or more confidentiality incidents,” as part of their due diligence.
When asked about the most common privacy incident scenarios they see regularly, both mention email misdirection as a prevalent issue. Eugen adds that ransomware and social engineering attacks are common, while Jean-François specifically points to unauthorized access to databases or documents that contain personal information.
When asked what makes an effective data privacy officer, Eugen believed in effective communication, trust-building, and advising on how to say “yes, and here’s how,” rather than just saying no to new data-driven initiatives. To wrap it up, Jean-François echoes the importance of understanding the organization’s activities and having a good internal network, underlining that “collaboration and the assignment of responsibilities to several contributors” are essential for comprehensive coverage of privacy responsibilities.
