Since the major data protection provisions of Quebec's Law 25 went into effect in September, privacy professionals within the province and Canada at large now face the prospect of a more stringent enforcement regime under the provincial data protection authority, the Commission d'accès a l'information du Québec.
To ease compliance burdens, Canada-based privacy tech vendors Data Sentinel and Denodo joined forces to develop a Law 25 compliance solution, now available to the market.
Denodo Director, Partner and Channels Sales Robert Eckersley said the new combined solution enables organizations to employ automation to scan multiple systems and discover personally identifiable information.
The manual lift to review troves of files is removed with Data Sentinel's mapping capabilities. Denodo's data management platform then scans all the files without duplication and classifies the different types of personal information, allowing for customized security policies to restrict access to, mask or delete data depending on what the compliance remedy requires.
Eckersley said customers interested in the solution will be able to best position themselves for complying with Law 25 when the CAI begins taking enforcement actions, which he anticipated could take "another year or two."
"It starts with the identification using Data Sentinel's mapping tool, and we have a very solid process that can happen very quickly … and we can get an understanding of where data is using automation," Eckersley said. "Then, (customers have the) ability to seamlessly move that data into a no-code enforcement tool that can be done by a compliance person. Again, it's just adding a lot of automation to what could be an extremely laborious, never-ending challenge."
On 22 Sept., Law 25 data privacy requirements entered into force. They include requiring organizations to perform privacy impact assessments before adopting technology that processes personal information and adding users' "right to be forgotten." Additionally, the CAI's administrative penalty schedule, which allows for fines ranging from CAD10 million or 2% of global turnover, up to CAD25 million or 4% of global turnover for violations, technically entered into force.
Data Sentinel CEO Mark Rowan said the impact of Law 25's new requirements have left many of Quebec's privacy pros "overwhelmed" as their organizations develop action plans to achieve compliance. Then less proactive companies are left to hope the CAI is lenient toward noncompliance in the near-interim.
"Generally speaking, those who are taking the regulation seriously are overwhelmed with a sense of responsibility and the fact that they don't have anything done as of yet, so that's bucket number one,” Rowan said. "Bucket number two, seems to be the reaction (by organizations) that '(Law 25) is a problem that's quite large and it's going to take a lot of time, effort and money to deal with; we're going to push it down the road, and we're going to take a little bit of investment, and we're going to gradually chew away at the elephant over time.'"
"Ultimately, is that the right thing to do or not? It's good question,” Rowan continued. "But it's bucket number two that we hear about on a fairly regular basis."
Denodo and Data Sentinel view their joint solution as "ahead of the market" in terms of releasing a comprehensive Law 25 compliance solution, according to Eckersley. The product is available either directly through Denodo or from Data Sentinel, which is a licensed reseller of Denodo's platform. The partnering vendors also retained Copperstone Connect, which offers a full implementation package for the customer solution and consulting services.
"What information do organizations hold? Most of them don't know, especially if they're an organization of size," Eckersley said. “Here we can imagine a future where everybody has one place in the organization to go and look for data; where data is consistently parceled out to people, no matter what tool they're using and where the right people see the right data at the right time."
Rowan said one upside to the relative compliance stress Canadian companies are facing with Law 25 is that the end-result will yield a significant number of organizations ready to comply with Canada's proposed comprehensive federal privacy law reform legislation, Bill C-27, whenever it ultimately passes.
"To give some practical examples, we're signing up new customers from across the country from Vancouver on one end, to a new client we've signed up in Halifax, and they've all got Law 25 as the principal issue they're looking to deal with, with an eye toward C-27," Rowan said. "The concept obviously being that if you can baseline on Law 25, you're a long way toward being compliant with C 27."