The global pandemic has created a world of uncertainty for many organizations. According to a recent Statistics Canada survey on the impacts of COVID-19, nearly two thirds of businesses have been highly affected by lower demand for their products and services, and about one third experienced a drop of 40% or more in their revenues in the first quarter of 2020.
As Canada prepares to lift many of the lockdown restrictions imposed amid the current pandemic, companies need to be ready to address a series of challenges including privacy and security risks as well as concerns from customers, employees and regulators. Your company’s response will be critical in ensuring employee trust, customer loyalty, and public accountability — as well as limiting regulatory scrutiny.
Here are some smart strategies to consider.
1. Focus on privacy training and awareness.
Since the start of the COVID-19 pandemic, the number of cyber attacks and email scams targeting organizations, their employees, and the public at large have increased five-fold. While your IT team works around the clock to protect your network, are your staff members unwittingly jeopardizing your company’s privacy and cybersecurity efforts? Do they know the warning signs and which basic safeguards to put in place to remediate? According to a recent cybersecurity report, 45% of employees in Canada and the U.S wouldn’t know how to respond to a ransomware attack — and many don’t even know what ransomware is.
See here for more work-from-home tips for companies and employees.
2. Offer your customers privacy education as a value-add.
Employees are not the only ones who will benefit from privacy and data protection awareness — your customers will appreciate it too. The Canadian Anti-Fraud Centre reported that Canadians have lost more than $1.2 million in recent weeks to scammers taking advantage of the COVID-19 pandemic.
Hackers, scammers and other threat actors are exploiting all sorts of channels to gain access to sensitive personal information from emails, calls, and text messages to social media platforms. They are using social engineering techniques: representing false charities, soliciting money, selling medications or health products without license, and impersonating companies and government agencies.
These unfortunate trends create an opportunity for companies to strengthen their relationships and communications with customers by providing valuable information on privacy and security. In addition to the financial and other measures your company has put in place for customers, privacy and data protection considerations should feature prominently in your customer communications. Consider providing tips and resources, including those compiled by CMA. Six months from now customers will look back and reflect on which brands have provided real value and helped them get through the initial crisis. Don’t you want to be one of them?
3. Proactively communicate your COVID-19 measures to your customers.
Privacy concerns were at an all-time high last year; they are even more so now in the COVID-19 era. In 2019, PwC’s Consumer Intelligence Series revealed that 85% of consumers consider cybersecurity and privacy risks among the biggest issues facing society. Even though Canadians are dealing with other pressing issues at the moment, their acute awareness about how companies and governments collect, use and disclose personal data will continue.
In times of crisis and uncertainty, customer service and clear communication are essential. Tell your customers where you stand in terms of privacy and security during a difficult period such as this pandemic. Let them know how you handle their data, how you’re securing it and what the benefits are for providing such data to the organization. Offer them helpful advice on how they can keep their data safe. These communications can go a long way in building trust with consumers. Transparency is good for business and it helps to protect the brand reputation ultimately.
4. Mitigate the privacy impact of post-lockdown measures.
Prime Minister Trudeau recently said that during the post-lockdown phase, some public health measures will have to remain in place until a vaccine or effective treatment is found. As provinces start to reopen, employers will have to decide how to permit employees, contractors, clients and visitors to return to their work environments in a way that sustains a safe workplace. Some companies are considering thermal scans to check temperatures, while others ponder whether to require a ‘health passport’ — a certification from a physician or other reliable healthcare source that the holder has tested negative to COVID-19 or has not recently presented symptoms — to allow access to company facilities.
The most appealing measure to many companies is app-based contact tracing which is quickly becoming popular in many parts of the world. Different versions by governments, employers, and mobile-phone makers are being offered to employees for use on personal and company-owned devices. But what is the most privacy-responsible way for companies to roll out an enterprise version of app-based contact tracing? Companies should conduct a privacy impact assessment to address and minimize the risks. Key considerations include securing employee buy-in, keeping geo-location data anonymous and encrypted, data minimization, retention periods, and addressing how much information, if any, should be shared with government authorities.
See here for more ‘privacy-smart’ mitigating measures.
5. Think strategically about privacy and cybersecurity.
At a time when many organizations are watching their bottom line and dealing with cash flow issues, you may be tempted to downplay the importance of investing more money and resources into privacy. This would be a mistake. In addition to some of the benefits already mentioned like enhancing consumer and employee trust during these unprecedented times, investing in your company’s privacy programs also provides financial benefits. According to a 2020 Cisco study, businesses see an average return of 2.7 times on their original investment when they bankroll data privacy practices.
Companies will soon be faced with additional regulatory pressures as well. Although the timelines initially envisioned to update Canada’s private-sector privacy law have been affected given more immediate regulatory needs, the government is still engaged in many privacy conversations and continues to evolve its strategy on privacy reform. Building and enhancing a privacy culture now can help with your privacy compliance and accountability efforts.
See here for more information on upcoming changes to Canadian privacy law and why you should invest in privacy.
The issues and trends highlighted should become topics of conversation in team and board meetings as you continue to assess the current and future impacts of COVID-19. The pandemic underscores the strong need for organizations to invest in robust and effective data privacy programs, maintain effective technical and policy measures to keep personal data safe, and reinforce their commitment to transparency, providing value and using data ethically.
Current global trends also provide an opportunity to reconsider privacy and security in relation to digital marketing strategies. As consumer expectations evolve in response to COVID-19 scams, cyberattacks and data breaches, organizations will need to respond thoughtfully and strategically. One of the top 10 future trends and issues anticipated is that the marketing and privacy teams will need to become best friends. A strong collaboration between marketing and privacy will be important to effectively respond to changing consumer expectations and privacy regulations that are becoming increasingly more stringent.
About the author: Cristina Onosé is Lead, Privacy Advocacy and Thought Leadership at PwC. Her expertise includes government regulation and e-marketing (PIPEDA, GDPR, CASL), public relations and emerging technologies (IoT, smart cities, and automated vehicles). She is a certified privacy professional (CIPP/C, CIPM) and has an MA in international affairs and a certificate in cybersecurity policy from Harvard Kennedy School.