What is Bill 64?
Over the past several years we’ve seen a wave of privacy regulations enforced around the world that have significantly impacted the way in which data is managed. While GDPR (General Data Protection Regulation) was a European-centric regulation, its scope was certainly far broader given the nature of business operations in the digital age. Similarly, CCPA (California Consumer Privacy Act) or its evolved and more encompassing form, CPRA (California Privacy Rights Act), served to protect customers across the pond. And on September 21, 2021, the National Assembly of Québec became the first province in Canada to enact a modern personal information protection privacy regulation “with teeth.”
While this post isn’t meant to cover the regulation and all it entails, its purpose is to specifically highlight the ways in which Collibra can be and in fact, is used, at multiple organizations across all industries to support compliance. Having said that, in summary, the high-level takeaways that will affect most businesses are:
- Data Privacy Officer: Organizations must “designate one or more public bodies to exercise the function of personal information manager.”
- Privacy Impact Assessments: Organizations must “conduct an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information.”
- Public Policy Disclosure and Internal Privacy Process: Organizations must “publish on its website governance rules regarding personal information.” Moreover, and perhaps more importantly, these rules must also “define the roles and responsibilities of the members of its personnel throughout the life cycle of such information and provide a process for dealing with complaints.”
- Breach Reporting: Organizations must “keep a register of confidentiality incidents”, and “take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.”
- Increased Transparency: Policies must be “drafted in clear and simple language and disseminate it by any appropriate means to reach the persons concerned.”
- Privacy by Design: Ultimately any system or technology used that “includes functions allowing the person concerned to be identified, located or profiled” requires processes for opting out.
- Data Rights: There are multiple stipulations that highlight an individual’s dominion over their data:
- Right to be Forgotten: a “person to whom personal information relates may require any person carrying on an enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means.”
- Data Portability: right to their computerized personal information “in a structured, commonly used technological format or to require such information to be released to a third person.”
- Automated Processing: disclosure of when personal information is used “to render a decision based exclusively on an automated processing of such information.”
While we’ve certainly seen privacy regulations this side of the border (e.g., the Personal Information Protection and Electronic Documents Act or PIPEDA), this is the first time one has been introduced with significant implications. Failure to comply with the provisions set out in this regulation will result in penalties commensurate with the size of the business, depending on the provisions violated:
- a natural person is liable to a fine of:
- $1,000 to $10,000, or
- $5,000 to $50,000
- a public institution is liable to a fine of:
- $3,000 to $30,000, or
- $15,000 to $150,000
- A private/public organization is liable to a fine of:
- $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, or
- $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year
Fortunately, the Commission d’accès à l’information (CAI) is providing organizations with enough time to implement changes that will support these provisions. Moreover, requirements will be enforced in a rolled-out manner. The primary focus of this post is to specifically highlight the ways in which Collibra can be and in fact, is used, at multiple organizations across all industries to support compliance.
Year 1 (2022)
In September 2022, organizations will be required to elect a Data Privacy Officer. The flexibility of Collibra enables you to operationalize the exact governance model with appropriate role labels that will enable your business to truly adopt and leverage the platform. In a few clicks I can create a role that makes sense to my business in Collibra and assign users to satisfy that role:
In my several years working with organizations to implement data governance initiatives, perhaps unsurprisingly, the most successful programs were ones in which technology was adapted to support the business rather than modifying business processes to support the technology. If the technology speaks that language of the business then it’s simply one less barrier for platform usage. Collibra’s unique and flexible operating model allows organizations to speak their own language and support multiple taxonomies.
Also beginning in September 2022, organizations will be required to support breach reporting which is a multi-faceted requirement. Firstly, there needs to be a process for actually logging an incident. Collibra’s privacy module ships with a comprehensive and robust workflow that supports incident reporting:
This and in fact any workflow, can be customized entirely to suit your unique requirements. Similar to the sentiment outlined above, workflows implemented in any tool or platform should support existing business processes so as to not require significant change management for adoption. The automation realized through workflows and limitless flexibility is perhaps one of the most understated unique capabilities that drive immense value to organizations that partner with Collibra.
Secondly, in addition to simply logging the incident, you need to implement measures that reduce the risk of similar incidents being repeated. This can only be done in earnest if you leverage a platform that provides functionality and support for everything from reporting to remediation plan analysis and actions. Collibra enables you to build a comprehensive central repository of incidents to effectively form Knowledge Based Articles (KBAs):
Year 2 (2023)
The following year, September 2023, is when most of these requirements will need to be met. First and foremost, organizations will need to publish their privacy policies on their websites or other appropriate methods and more importantly ensure that they are drafted in clear and simple language. So what exactly is “clear and simple language”? And how can you ensure that your internal and external policies are drafted with them in mind? Collibra enables you to build glossaries that support various functions, lines of business, projects, programs etc… What this means is that beyond just simply creating a common understanding around frequently used terms you can ensure they are used appropriately.
The next requirement that needs to be met by 2023 is ensuring that internal processes support the aforementioned public policies. Data governance is often seen from a purely theoretical perspective and few organizations have built mature processes to support their data governance requirements from an operational perspective. Collibra enables you to quickly implement workflows that support and facilitate all interactions between involved stakeholders:
Collibra is effectively your system of engagement for all things data, the platform that your business, data and privacy practitioners can use in union. Everything from the approval of a policy (preceding its publication), which is a concerted effort between business stewards, privacy managers, and other stakeholders, to annual attestation of policies to ensure their continued applicability. All of these processes are inherently a part of the core fabric of Collibra, workflow participants are notified via email of their pending task and are directed to Collibra to action their task. Data Governance doesn’t have to be icons on a flow chart and/or sending emails; rather, Collibra enables you to turn those flow charts into actionable tasks/deliverables that various roles can be held accountable to.
Next on the list of requirements to be met by September 2023 are impact assessments. You will need to ensure that you have the means to conduct assessments of privacy-related factors affecting systems/data where personal information is a concern. Collibra Privacy boasts an integrated assessments feature, which can be enabled to address requirements stipulated in Section 63.5 of Bill 64. This feature comes out-of-the-box with highly customizable, expert-built templates and allows you to automatically trigger assessment workflows and notify internal stakeholders to close compliance gaps from high-risk processing activities:
Next on the list are the “privacy by design”-esque requirements. When first introduced, this bill had stipulated that organizations must provide the “highest level of confidentiality by default” with respect to technological goods or services offered. However, the final version of the bill, while maintaining that sentiment, has had its scope changed. This requirement will now only apply to technological products or services offered to the “public” as opposed to other entities such as employees. Collibra remains a metadata management system, rather than persisting record level information, it provides you with a complete view of what the data actually represents. Collibra has the facilities to not only simply document a system’s compliance to this regulation but also is able to help determine, at scale, exactly which data sources contain customer data through auto-classification and the physical data connector.
Very similar to other “right to be forgotten” regulations introduced by GDPR and CCPA/CPRA, by September 2023, organizations must accommodate customers’ requests when they would like their personal information to cease being used in the manner first approved. As mentioned above, while Collibra doesn’t interact with record level data and will therefore not action these requests, by connecting your technical metadata to your logical and conceptual models – you are able to very efficiently identify the systems where applicable data exists, and more importantly understand the business processes that produce or interact with that data set.
Year 3 (2024)
Some of the remaining regulatory requirements of Bill 64 include stipulations on data portability. Effectively, upon customer request, organizations need to provide a customer with access to their data “in a structured, commonly used technological format.” While Collibra won’t process the request, it can be used to invoke notifications to the appropriate data custodians who need to provide the extract that is a part of their domain. Collibra’s flexible operating model enables you to implement a federated model; rarely is a single data custodian responsible for all applications and data sources, stewardship can be established in a robust and truly scalable enterprise manner removing the IT bottleneck.
Lastly, by September 2024, organizations need to disclose to customers when their information is being used to render a decision strictly on automated processes. As described in the segment regarding the “right to be forgotten”, Collibra can produce business rich lineage that includes associations between customer data and the processes that consume that data. In fact, Collibra can be used to notify appropriate stakeholders when a new automated processing activity is introduced that goes beyond the scope of what individuals were informed of at time of collection enabling you to introduce proactive processes that won’t slow your business down.
The primary purpose of this post was to provide a pragmatic approach to utilizing Collibra to satisfy the most pertinent and pressing requirements of Bill 64. Is your organization ready for these changes? If not, we would love to hear from you to discuss your needs in more detail and see how we can help.