At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.

The article discusses the implications of someone filing a privacy complaint with the Office of the Privacy Commissioner of Canada (OPC) and the motivation of naming and shaming companies. It highlights that even if a complaint seems frivolous, it can lead to thorough investigations by the OPC, potentially uncovering compliance gaps within a company's privacy program. The article emphasizes the importance of proactive preparation for businesses, including maintaining updated policies, designating a Privacy Officer, and viewing every decision through the lens of potential regulatory scrutiny. It warns that regardless of the company's size or industry, a single complaint can have significant financial, operational, and reputational consequences, stressing the necessity for vigilance in addressing privacy concerns in the digital age.

In recent years, Canada has experienced a concerning surge in shoplifting incidents, a trend potentially exacerbated by economic factors such as inflation. As the guardians of a retailer's assets, loss prevention personnel find themselves on the frontline in addressing this growing challenge. However, in the pursuit of securing business interests, it is imperative to recognize the delicate dance between protecting assets and upholding privacy rights.

As an immigrant to Canada, I have seen the process and the documentation required to get here. My entire life condensed into a folder to be submitted to a consultant, who will in turn validate everything, and then submit it all to the IRCC (Immigration, Refugees and Citizenship Canada). This translates to a lot of deeply personal information put into the trust of a third-party, and this article goes into how quickly a phishing attack on any business can put sensitive information at risk.

The criteria for obtaining lawful consent was discussed in depth in our Law 25 Consent White Paper released late 2023. The CAI published its final consent guidelines (Guidelines 2023-1-Consent: Validity Criteria (“Consent Guidelines”)) providing us with a clearer picture and refined guidance on what is required for consent to be valid.

In a world where data breaches and privacy concerns are constantly in the headlines, it’s more crucial than ever for businesses to prioritize and navigate both privacy and security. While these concepts are often treated as separate entities, tackling them together can yield significant benefits for organizations.

The privacy and security functions, respectively, often have tunnel vision and move in different directions causing the business to spin rather than move forward fast. It is time for privacy and security to form an alliance. When privacy and security cross-pollinate to form Governance, Privacy, and Security (GPS), they are better able to protect the business, protect data, and protect individuals.

Can personal data be anonymized for one party while identifiable for another party? This has been a long-standing question and we finally have an answer. Processors who tokenize data should be aware of this new CJEU ruling to determine if they need to comply with the GDPR or any other privacy legislation.

When dealing with privacy and security, everyone jumps straight onto the compliance bandwagon. There are set laws, frameworks, regulations, standards and other checklists that allow you as a business to proudly state that you are compliant. But does ‘to-the-letter’ compliance match the public’s expectations?

Like Europe and the UK, Quebec’s Law 25 has moved closer to ensuring that customers control how, when, and where their personal information is processed. Consent ensures that your customer’s personal information is treated like the precious cargo it is – handled with care and not tossed into the sea of manipulation. Consent allows the customer to set boundaries and feel like they are driving.

In today's digital landscape, businesses face an ongoing struggle to strike the right balance between security and privacy. While robust security measures are essential to protect sensitive data and assets, maintaining customers’ and employees’ privacy is equally important to establish trust and comply with regulations. Privacy by Design (PbD) incorporates this as a principle (more on that in a future article), stating that it should not be a “zero sum” game; privacy and security should work together and not be in competition of one or the other.

When you are a SaaS provider, you have control over the software you develop, as well as the deployment processes. You are good at securing your cloud and ensuring privacy legislation is adhered to. But, what happens when you offer an on-premises or hybrid solution that clients deploy on their own (or with your assistance)? How do you ensure that the software is still being kept in a secure state and that there won’t be any collateral damage and finger pointing should something go horribly wrong?

With the groundbreaking US adequacy decision, Canadian businesses need to aware of how EU personal data transfers to the US will impact them. This is a summary detailing what the adequacy decision means for Canadian businesses.

We’ve seen a significant increase in the number of security assessments our clients are receiving from their own clients. For the more medium-size company, it starts becoming pertinent to align to a particular standard, of which there are many to choose from, each with their own merits and focus areas. One such standard that is very widely recognised, is ISO 27001.

What happens when you cannot see the forest for the trees? There are so many threats out there it’s hard to keep up with which ones directly (and materially) affect your business. Businesses can waste tremendous time and effort in addressing generic threats that do not directly relate to their business, simply because it seemed like a good idea (or someone in power heard about it at the last conference they attended).

Call centres are often the first point of contact between customers and businesses. Over the past few years, with advances in technology, including AI, call centres are collecting more personal information than before and using it in novel ways. This article explores how call centres may violate privacy and what they can do to reduce their risk of non-compliance.

Collecting geolocation information can be useful to your business, however, if not done properly, not only will you be non-compliant with privacy regulations, get fined, and find your company in a class-action lawsuit, but you will be classified as that “creepy stalker” that nobody wants to associate with. Read up on the latest cases involving geolocation data.

Consumers have succumbed to the lack of privacy they have, and have come to terms that they must give up their information to participate in society and remain relevant. They know their information is ‘out there’ and they are not getting it back. They know that short of living in a cave, this way of life will not change. Privacy is dead. A reckoning is coming in which consumers will search for companies that are responsible with consumer information. They are searching for companies they can trust. Only those companies that are proactive in re-imagining privacy will remain relevant, profitable, and future-ready for a reckoning that is coming.

There’s something distinctly wrong about waiting for things to go wrong, and then patching and fixing it after the fact. This is something that happens all the time when it comes to security of software applications. All too often, security is considered as an afterthought, or when you’re rolling around to quality assurance, and not when the actual development has taken place.

Determining the lawful basis for processing personal data can, at times, be confusing as the six lawful bases outlined in the GDPR can be interpreted (or manipulated) to make it fit for purpose. You can no longer avoid seeking consent to process personal data by simply including it in a contract.