Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his thoughts on data governance and relates it to modern dating.

Data Governance and Dating: Navigating Compliance in IT Security Policy

I teach a class on IT security policy and it can sometimes be a challenge it get students interested in the subject.  On the surface IT policy seems dull.  I’m usually able to get students thinking about the topic at a personal level and then connect it to how it applies to corporate data governance. I start by asking the class “Suppose you meet someone online and you arrange to go on a date, if they showed up late, how long would you wait before you said something?” Questions immediately follow.  Did they text that they were running late? No.  Is it the first time you are meeting them? Yes.  How attractive is the date? Not relevant.  But it IS relevant, Sir? [Laughs].  OK, yes I suppose it is.  At this point I start wondering whether this may not have been the best analogy, but I’m committed now and there’s no going back!

The class consensus on this is about 5-15 minutes and leaving the date location by 30 minutes if the person is a no-show.  Flaking and ghosting are major problems in today’s commitment-phobic world with its illusion of many options and clamour for attention and novelty [which is why establishing your own policies and communicating them is important – you’re more effective when you don’t take things personally].

If the person shows up 10 minutes late with no explanation.  Do you just let it slide?   You did arrange to meet and at least they are here.  Do you see if they volunteer an explanation and ask for one if they don’t?

What’s behind all these questions anyway?  And what does it have to do with policy?  Well policy is, by its nature, teleological.  It’s telos or endpoint in the future relates to an objective conceived in the present.  If the person showed up late, expected you to be cool about it, and then got upset when you drew attention to it, you would infer that this relationship is unlikely one you will want to pursue as it is one that will be characterized by frustration rather than co-operation.  This is important feedback, even if it might seem disappointing, you’ll be saving time, money and energy in the long-run.

In the corporate world, policies need to be documented, understood and enforced if there is any hope that the organization’s mission is to be realized.  It is also the way management will determine which employees support the corporate mission and which do not.  Policies as applied to the IT security and management of data assets is commonly referred to as data governance.

What is Data Governance?

Data governance refers to the overall management of data availability, usability, integrity, and security within an organization. It includes policies, procedures, and frameworks that ensure data is handled responsibly and in compliance with legal and ethical standards. Effective data governance helps organizations improve decision-making, reduce risks, and maintain trust with customers and stakeholders.

Legal Frameworks for Data Governance in Canada

Canada has a robust legal framework for data governance, primarily governed by federal and provincial laws. Key legislation includes:

  1. Personal Information Protection and Electronic Documents Act (PIPEDA) PIPEDA is Canada’s federal privacy law that applies to private-sector organizations engaged in commercial activities. It requires organizations to obtain consent for data collection, implement security measures, and provide individuals with access to their personal information.
  1. Provincial Privacy Laws Some provinces have their own privacy laws that apply to private-sector organizations, such as: Alberta and British Columbia – Personal Information Protection Act (PIPA) and Quebec – Act Respecting the Protection of Personal Information in the Private Sector
  1. Public Sector Regulations For public-sector organizations, federal and provincial laws govern data handling:  Privacy Act – Governs federal government institutions Provincial Freedom of Information and Protection of Privacy Acts (FOIP/PIPA) – Apply to provincial and municipal public bodies

To ensure compliance and effective data management, organizations should adopt the following best practices:

  1. Establish a Data Governance Framework Develop a structured framework that includes policies, roles, responsibilities, and processes for managing data. A dedicated data governance team or committee can oversee implementation.
  1. Ensure Compliance with Regulations Regularly review legal obligations and update policies to comply with federal and provincial data laws. Engage legal and compliance teams to stay ahead of regulatory changes.
  1. Implement Strong Data Security Measures Adopt robust cybersecurity measures, including encryption, access controls, and regular security audits, to protect sensitive data from breaches and cyber threats.
  1. Promote Data Transparency and Accountability Organizations should clearly communicate their data collection, storage, and usage practices to customers and stakeholders. Implementing accountability mechanisms, such as audits and impact assessments, can enhance transparency.
  1. Enable Data-Driven Innovation Responsibly While compliance is essential, organizations should also leverage data for business intelligence, AI, and innovation. Implement privacy-by-design principles to ensure responsible data use while maximizing its value.

Conclusion

We all use policies because we all have expectations of how our interactions with others should play out.  At a personal level, our policies are largely implicit and it can be frustrating and disappointing when people do not behave as we expect.  The problem is complicated when our emotions are involved.  IT security policy development in business is no different.  Implementing a new policy in a corporate environment has to take into account the people who are being asked to follow it.  Otherwise, it will be met with resistance.  But getting it right can make the difference between a company that runs like a well oiled machine and one that is running into the ground.  All successful companies will have robust policies and procedures that make them operate predictably, consistently and over the long-term.  It’s what makes them valuable.

Data governance in Canada is evolving, with regulatory changes and technological advancements shaping the landscape. Organizations must stay informed about legal requirements, adopt best practices, and prioritize data privacy and security to build trust and drive innovation. By implementing a robust data governance strategy, Canadian businesses can ensure compliance while unlocking the full potential of data in the digital economy.

Speaking to someone who understands policies and how they are implemented  – like a data governance specialist or lawyer can assist your organization runs smoothly and maintains regulatory compliance.

 

Rajen Akalu
647 299 5079
rajen@akalulaw.com