Canada’s OPC survey reveals concerning compliance trends among businesses

Canada’s Office of the Privacy Commissioner (OPC) has published its annual survey, which seeks to reveal how businesses are approaching privacy and data protection compliance. 

The survey suggests that businesses are generally aware of their responsibilities and are taking steps to meet them. 

But the report reveals some concerning trends around privacy compliance – at a time when Canada is updating its decades-old Personal Information and Protection of Electronic Documents Act (PIPEDA). 

Why and how the OPC carried out this survey

The OPC conducts its annual business survey to steer its role in providing guidance and outreach on privacy matters. 

The survey consisted of a 15-minute phone call with 800 Canadian businesses late last year. The results have been weighted according to the size of the surveyed companies. The OPC spoke to senior decision-makers familiar with their companies’ privacy and security regimes. 

Awareness and compliance

The OPC found that 88% of businesses are at least moderately aware of their privacy-related responsibilities. Levels of “high awareness” have declined over the recent years, from 57% in 2019 to 47% in 2023. 

Around 76% of businesses have taken steps to ensure compliance with Canadian privacy law, with higher compliance in larger businesses. 

Ninety-three percent of the businesses that had taken such steps found it moderately or extremely easy to comply. This year saw a significant increase in those finding it very easy to comply (from 35% in 2022 to 56% in 2023). 

The proportion of businesses that said they were aware of the regulator’s publicly available resources increased to 41%, up from 33% the previous year. Around 26% of respondents reported using these tools in 2023, but 31% of those who were aware of the resources said they had no need to use them. 

Implementation of privacy and security practices

Over half of businesses have implemented the following privacy practices:  

• Designating a privacy officer (56%) 
• Handling customer complaints (53%) 
• Responding to customer requests for information (50%) 
• Developing internal privacy policies (50%). 

Around one-third of businesses said they provide staff with privacy training and education. 

Businesses also reported that they had implemented the following security measures: 

• Requiring passwords (83%) 
• Controlling access to electronic files (79%) 
• Using multi-factor authentication (53%) 
• Encrypting stored data (49%) 
• Encrypting communications (33%) 

While some of these figures appear high, it’s perhaps worrying that 17% of businesses do not require employees to use passwords, and 21% have not implemented access controls. 

Privacy policies

Under PIPEDA and provincial Canadian privacy laws, businesses must publish a privacy policy (or privacy notice) detailing how they collect and use personal information. 

The OPC survey found: 

• Fifty-five percent of businesses have a privacy policy, with larger businesses more likely to have one 
• Most businesses use plain language in their privacy policies language to explain data collection, usage, and sharing practices. 
• The proportion of businesses that explain their data retention practices in their privacy policies increased from 57% in 2022 to 67% in 2023. 

However, the results suggest that fewer companies’ privacy policies include certain key information: 

• Fewer businesses explain how to file complaints in their privacy policies, down from 60% in 2022 to 49% in 2023 
• Fewer businesses reported making their privacy policies easily accessible, down from 70% in 2022 to 60% in 2023. 
• Fewer businesses use their privacy notices to explain how customers can request access to personal information, down from 69% in 2022 to 59% in 2023. 

Data breaches and preparedness 

Finally, the OPC asked businesses about data breach preparedness. 

• Nine-three percent of businesses have not experienced a privacy breach, consistent with previous years.
• Eighty-four percent of businesses feel at least somewhat prepared to respond to a data breach.
• Forty-six percent of businesses feel “highly prepared” to respond to a data breach. 

Like many of the areas explored above, Canada’s data breach notification rules are due for an update under pending legal reforms. The regulator will receive new powers to enforce the law, and the maximum fines are going up. 

Any business that has failed to comply with its current obligations should consider paying closer attention to privacy before these changes take effect.