FAQs
Find answers to common questions about data privacy, security, and how Privacy Horizon helps protect your information. If you don’t see what you’re looking for, feel free to reach out!"
Privacy & Security Policies & Notices
The first thing you need to know when developing a privacy program for your start-up or small company is what privacy laws apply to you and your customers. Start-ups face a bewildering array of privacy legislation, especially if you are selling your products and services across Canada and/or internationally. In Canada alone, there are more than 30 separate federal, provincial, and territorial privacy laws in effect. Depending on the location of your business and who you are selling to, different privacy laws apply to your business.
For example, if you are selling directly to consumers or private businesses, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to you. If you are selling to healthcare providers in Canada, as many as 12 provincial and territorial health privacy laws may apply to you and your customers.
Privacy laws set the ground rules for information management. If you’re setting up a privacy and security program for your start-up or enterprise for the first time, we’re here to help guide you through each step of the process.
You must publish a Statement or Notice of Information Handling Practices to comply with notice requirements in privacy legislation. A Privacy Notice or Statement informs customers and individuals about your organization’s information handling practices.
Our team of privacy and security experts can help you develop a suitable Privacy Notice or Statement for your website.
The purpose of a privacy policy is to guide your organization’s leadership, employees, and stakeholders on matters concerning the protection of privacy and compliance with the privacy legislation in each jurisdiction in which your organization conducts business.
The purpose of an information security policy is to guide your organization’s leadership, employees, and contractors on matters concerning the management of information security. This includes ensuring the protection of all information system assets (including, but not limited to, all computers, mobile devices, networking equipment, software, and data) and the mitigation of risks associated with the theft, loss, misuse, damage, or abuse of these assets.
We help our clients develop, finalize, and implement policies.
Privacy and Security
Cybersecurity is the use of policies, processes, programs, and technologies to protect data, technologies, networks, and systems from unauthorized access, exploitation, or attack. Cybersecurity aims to reduce risk, protect organizations against cyberattacks, and prevent cybersecurity breaches.
Information privacy is the right of an individual to control the collection, use, disclosure, and retention of their personal information.
Privacy by Design (PbD), developed by Dr. Ann Cavoukian, ensures privacy is built into systems from the start. It follows seven key principles, including proactive protection, default privacy settings, built-in security, transparency, and user-centric design. These principles help individuals control their data while fostering trust in businesses.
To implement PbD effectively, organizations need clear requirements, strong privacy controls, and a risk-based approach. By integrating privacy throughout the data lifecycle, businesses enhance compliance, security, and user confidence.
Security is the use of policies, processes, programs, and technologies to keep your business, technologies, and information safe from dangers or threats.
First, information privacy is important because it is the law. It’s a subject that nobody thinks about until something goes wrong. It is critical that businesses comply with all of the relevant privacy laws in their jurisdiction and demonstrate due diligence so they can avoid privacy breaches and violations of customer privacy rights. Information privacy can also help build trust in your organization and foster a strong reputation.
By safeguarding information and prioritizing privacy, businesses can foster greater adoption of new or existing technologies. As a result, privacy can help create a competitive advantage for businesses and can enable digital disruption for new technologies. When information privacy is not managed well, it puts organizations at risk and can lead to a security breach, which is extremely costly for organizations and their customers, investors, and board of directors.
Privacy and Security Assessments
A Privacy Impact Assessment (PIA) is a structured risk management methodology that looks at the environment in which your app or device will operate, how it is used, and how data flows through the technical and business processes. A PIA will help you understand the privacy risks associated with your products and services. You do not want to over-engineer your app or device. A PIA will help identify real hotspots where privacy and security countermeasures may be needed. A PIA is also an important marketing tool because it quickly communicates your privacy safeguards to your customers and demonstrates that you prioritize privacy.
We conduct privacy impact assessments (PIAs) for our client’s products and services. We can also update a past PIA.
A security threat and risk assessment (TRA) is the process of identifying and mitigating threats and risks to the confidentiality, integrity, and/or availability of information. A TRA involves identifying what information is at risk, determining the relative magnitude of the risk, and decoding what to do about the risk. The goal of risk management is to ensure that risks remain within acceptable limits and that the cost of countermeasures is affordable. A TRA is a collaborative process where representatives of various groups within the organization develop a shared understanding of threat and risk requirements and options. TRAs provide evidence to customers and regulators that your business has applied the appropriate security due diligence to its products and services.
We conduct security threat and risk assessments (TRAs) for our clients’ products and services. We can also update a past TRA.
Privacy and Security Awareness Training
More than 90% of privacy breaches are caused by human error. Privacy and security awareness training reduce security related risks by 60%. Privacy and security awareness training helps make your team your first line of defense by teaching them how to avoid common errors, like phishing scams, weak passwords, and careless behaviour online. Privacy and security awareness training is also important because privacy laws mandate that organizations handling personal health information provide regular privacy and security awareness training to all of their employees and contractors.
Privacy and Security Certifications
The certification process will help your team identify gaps and risks. We will help you implement the necessary information controls to manage risks and/or to help eliminate them. It will help you secure all of your data more effectively, minimizing the risk of a cybersecurity data breach.Our certification team will work with your team to develop a customized solution, giving you the flexibility to adapt information and security controls to some or all areas of your organization to ensure that the resulting information security management system meets the specific needs of your business.
Achieving a certification helps demonstrate your business’ commitment to global best practice. By demonstrating your business’ commitment to security, you can help your business gain trust from your clients, stakeholders, and partners, demonstrating due diligence and excellence in data protection.By demonstrating compliance and achieving certification status, your business is set apart for its excellence in information and security management, which will give your business a competitive advantage and may help you gain status as a preferred vendor or supplier.
ISO/IEC 27001 is the international standard for information security management.
ISO/IEC 27001 certification demonstrates a business’ commitment to global best practice and their commitment to security. The certification standard helps organizations establish and implement a certified information security management system, helping organizations secure their data more effectively and minimizing the risk of a cybersecurity data breach.
ISO/IEC 27001 Certification
SOC 2 Certification
CyberSecure Canada
Certification preparation is a significant undertaking. Working with our certification team will save your team a lot of time because we compile all of the necessary documents for you and create a customized information security management system framework that meets the unique needs of your business. Our team of privacy and security experts have experience helping many other businesses achieve their certifications, so we can anticipate what will be reviewed and what evidence auditors will be looking for. Certification preparation can take approximately 80% of an individual’s work hours in a year if they are not experienced at preparing for an information security management system certification or accreditation. This is a costly time commitment for organizations that do not have a team of dedicated privacy and security professionals on staff.
Privacy and Security Features
Privacy Notice – Apps must have clear, accessible privacy notices covering data collection, use, disclosure, protection, and user complaints.
Identified Purposes – Developers must transparently state why data is collected and ensure it’s not used for other purposes.
Meaningful Consent – Consent must be simple, in plain language, and obtained before data collection—no lengthy legalese.
Data Minimization – Apps should collect only essential data. Features like cameras and location tracking must be off unless necessary.
Data Encryption – Personal data must always be encrypted—on devices, in transit, and in backend systems.
Access Control – Strict controls must manage user and admin access to app data.
Authentication – Strong passwords and multi-factor authentication should be used where needed.
Monitoring & Audits – Apps must log data access to detect and respond to security breaches.Let me know if you’d like it even shorter!
Privacy and Security Incidents
Your business should establish policies and protocols to prevent, detect, contain, and respond to privacy and security incidents. There are three critical steps in managing a privacy incident. First, you will need to complete a security incident report. Second, you need to ensure that the incident is closed. Finally, you need to communicate and implement an action plan for remediation and recovery to all of those involved and implicated by the security breach. In this final step, you must notify all individuals, customers, and regulators of the security breach and the actions you are taking to mitigate harm. Depending on your business, your organization’s breach management protocols may need to be coordinated with the protocols established by your customers.
We’re here to support your team every step of the way as you manage a privacy or security incident. Whether you need help preparing and preventing incidents from ever happening or responding to a security breach that has already occurred, our team is ready to help.
Back Up Your Data – Store copies in the cloud and on an external drive to restore files if attacked.
Secure Backups – Use systems that prevent ransomware from modifying or deleting backups.
Update Security Software – Keep all devices and software updated to patch vulnerabilities.
Browse Safely – Avoid unknown links, emails, and downloads from untrusted sources.
Use Secure Networks – Avoid public Wi-Fi; use a VPN for secure connections.
Stay Informed – Learn about new threats and available decryption tools.
Train Your Team – Educate employees on phishing and security best practices.We help businesses stay protected from ransomware threats.
Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.
The average cost of a security incident is $5 million.
If you think your business has experienced a security breach, contact us immediately so we can help you manage, stop, and respond to the security breach.
Privacy and Security Laws
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. If your business operates in Canada and handles customer or employee personal data, PIPEDA will apply.
The General Data Protection Regulation (GDPR) applies to any organization that targets or collects data related to people in the EU. The GDPR applies to both organizations within the EU and organizations located outside of the EU who process or collect personal data related to people who reside in the EU (regardless of the company’s location).
The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers, health plans, and healthcare clearinghouses for organizations that transmit healthcare data electronically.
Yes. All privacy control frameworks require that at least one person is designated as a Privacy and Security Officer within your organization. This individual is accountable for compliance with privacy law and for executing your organization’s privacy management program. This individual should be an officer of the company with the authority to ensure your business takes the necessary actions to fulfill your organization’s privacy management program.
PHIPA applies to health information custodians who are involved in the delivery of healthcare services as well as the agents, electronic service providers, and health information network providers who may provide services, manage data, or act on behalf of custodians.
There are more than 30 different pieces of privacy legislation in effect across Canada covering the public, private, and health sectors.
Our team has privacy and security expertise in multiple countries and jurisdictions. We can help your business comply with privacy laws in North America (Canada, the United States, and Mexico), Europe (including the UK), Australia, New Zealand, China, and Japan.
No. Your cloud service provider can help you meet many of the physical and technical requirements of the HIPAA Security Rule, such as secure data centers and networks. However, your business is ultimately responsible for your HIPAA compliance. Your business is responsible for administrative safeguards mandated by HIPAA, such as policies and procedures, risk management, monitoring and audit, and for application security, such as access control. Your cloud service provider gives little or no support for the requirements outlined in the HIPAA Privacy Rules through the BAA.
We can help ensure your business is HIPAA compliant. Get a free privacy assessment to find out if your business is HIPAA compliant.
HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996, HIPAA was designed to modernize the US health insurance industry by promoting the use of information technology in healthcare. HIPAA was augmented in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act that further promoted the adoption and meaningful use of health information technology.
US lawmakers recognized that concerns about privacy and security would be significant barriers to the adoption of technology in the health sector. In response, they enacted Privacy and Security Rules as part of HIPAA’s Administrative Simplification Regulations. Under HITECH, the Privacy and Security Rules were strengthened and two new rules, Breach Notification and Enforcement were added.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Still have questions?
We're here to help! Reach out to us for more information or personalized assistance.
What’s Protecting Your Business from the Next Threat?
Don’t wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.