As technology plays an increasing role in our society, organizations should ensure they are aware of the contractual, privacy and risk mitigation best practices associated with emerging technologies.
Below are five key considerations organizations should bear in mind when implementing new technology:
- Contracting for digital solutions. Businesses are increasingly implementing new technologies — such as cloud computing, artificial intelligence and machine learning — in order to reduce costs, generate new revenue streams, increase customer engagement, and develop competitive advantages. In most cases, these businesses enter into agreements with technology providers for this new technology. Technology agreements for larger-scale projects and technology implementations can be complex, and need to be carefully drafted and negotiated to ensure that any new technology is implemented on time, on budget and based on desired specifications, and that any ongoing services satisfy the customer’s objectives.
- Reasonableness of collection. Increased use of technology can lead to over-collection or use and disclosure of personal information that is unrelated to the purposes for which the information was originally collected (e.g., technology put in place for safety purposes that is subsequently used for employee discipline purposes). Organizations should ensure they only collect personal information for reasonable purposes, which are identified to the affected individuals, and only to the extent reasonably necessary to achieve such purposes.
- Security and data protection. Organizations have a duty to protect the personal information they have in their custody and control. Effective and adequate security protections require three basic levels of protection: physical (e.g., locked filing cabinets and alarm systems); administrative (e.g., privacy by design, security clearances, access restrictions, staff training and contracts); and technological (e.g., passwords, secure tokens, encryption, firewalls, two-factor authentication and security patches).
- Retention and destruction of data. Privacy laws allow for the retention of personal information for as long as reasonably required to accomplish the purposes for which it was collected, including any legitimate legal or business purpose. Once such purposes have been fulfilled, personal information should be destroyed in a secure manner. Accordingly, organizations should ensure they have and are applying retention and destruction policies to technological data. This includes ensuring data being stored, analyzed or processed by third-party service providers (e.g., cloud computing) is also securely destroyed in accordance with appropriate retention and destruction policies.
- Effective cybersecurity. New technologies can contribute to cost savings, improved safety, increased efficiencies and a lower environmental impact. However, new technology can also mean new threats. In order to mitigate such threats, organizations should be vigilant with their cybersecurity regime, which should include an incident response plan, to ensure any cybersecurity breach is addressed in the most effective manner possible. To have an effective incident response plan in place, organizations should: draft it considering key elements (e.g., response team, notification procedures, documentation procures, media protocols and investigation procedures); test it (e.g., run an incident simulation and adjust the plan based on its effectiveness); establish agreements with third-party vendors in advance (e.g., public relations, investigation teams and external counsel) and review it on a regular basis.