Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/1110658
MAY/JUNE 2019 22 INHOUSE derstand that data analytics is a great tool. But you should take your code of conduct and prepare a data ethics framework. Ar- ticulate your risk appetite," Besharat says. "Your lawyers should be at the table to ask questions before projects launch. The questions should be ethics based. Scrutinize the machine learning to see if it results in any bias or discrimination," she states. As well, the clarity of the message to cus - tomers when asking to use their data needs to be a priority. "Do they understand it? How can you obtain consent in an informed way if you can't explain it in a meaningful way?" says Besharat. While many customers will click on the pop-ups on their computing devices with - out reading the disclosure by the company about the use of their data, an important part of effective compliance, says Ahmad, is what happens when someone declines. "What if a person does not approve? Do you have a mechanism to respect the customer's wishes and can you show this if asked by a regulator?" Ahmad adds. Effective data management, he says, also requires very close scrutiny of any contracts with third parties, especially in the case of a data breach. "Pull out key vendor agree - ments. Make sure there are specific clauses to do with notification and co-operation if there is an investigation," says Ahmad. Peter Nguyen, general counsel, corporate secretary and privacy officer at Resolver Inc. in Toronto, agrees that keeping track of where your data is located is a priority. "Find out where your data is being hosted. Have you done a third-party risk assessment? Many general counsel may be surprised at how many [software] tools their business is using. Data is going to flow anywhere and everywhere, so it is incumbent to put in pro - asks Ahmad, whose practice focuses on technology, cybersecurity and privacy law. In recent years, he says, there have been some concerns about storing data on cloud providers in the United States because the Patriot Act provisions may give authorities in that country access to the information. In addition to ensuring there is a clear map of where all data is locating, he says it is also important to know how it is being stored. "Anonymizing can be very compli - cated to do so that it cannot be reverse engi- neered" [to obtain private information], says Ahmad, who also teaches privacy law at the University of Toronto law school. There has been an increase in recent years in cloud capacity with data centres based in Canada, which might reduce jurisdictional issues. Proceeding with caution about the type of data that is stored on the cloud may still be the best course of action, says Sam - son Chan, a lawyer at Singleton Urquhart Reynolds Vogel LLP in Vancouver. "There is inherently a greater risk of data breach generally when more parties are in contact with the personal information be - cause of more chances of errors and less control of third-party data processors such as the cloud providers," says Chan, whose practise includes privacy compliance. "If the company internally has adequate levels of protection, it may be prudent only to use cloud providers to process less sensitive in - formation," he adds. Maryann Besharat, vice president, cor- porate, legal and compliance at Intact In- surance, says many Canadian companies continue to take a conservative approach when considering whether to move data to the cloud. "I would prefer to use a Cana- dian software company. You also need to confirm that they have the safeguards you have," says Besharat. The same caution with respect to privacy issues, she says, should be in place when us - ing new data technologies. "Companies un- Data management is one of the top "pain points" for internal legal departments, says Kirsten Thompson, a Toronto-based part- ner at Dentons. "General counsel are in- creasingly under pressure to monetize data. We have all this data. Why aren't we gener- ating revenue?" says Thompson, who is also national lead of the firm's transformative technologies and data strategy group. "Smart companies are looking at this as a competitive advantage. But it also requires developing an overall message and values across everything you do. What does this message mean and how do you back it up? Remove the surprise element for consum - ers. If they think they are getting some- thing of value back, they are more likely to share information," says Thompson. The role of the legal department is to en- sure there is a "compliance blueprint" for all data collected and maintained by a compa- ny. "What risks are you assuming and how do you mitigate them?" she says. In addition to changes enacted last year in the European Union with its General Data Protection Regulation and in California with the Consumer Privacy Act, the federal privacy commissioner in Canada is also changing its approach. "There is a shift in Canada from an ombudsman to an enforcement role. In the past, you could have a 'good enough' approach," says Thompson. Going forward, she says, it will be necessary for federally regulated companies to show the process in place that ensures compliance. Businesses should not shy away from making increased use of analytics or mi - grating to the cloud, which can reduce ex- penses and provide better computational tools, says Imran Ahmad, a partner at Blake Cassels & Graydon LLP in Toronto. "But you must map your data. Where is it kept? Data flows to a sub-processor need to be very clearly identified. Are you able to trans - fer to a sub-processor in the United States?" Your lawyers should be at the table to ask questions before projects launch. The questions should be ethics based. Scrutinize the machine learning to see if it results in any bias or discrimination. MARYANN BESHARAT, Intact Insurance