Optimus Think

Privacy Law 25: Five Essential Priorities to Drive Success for Canadian Financial Institutions in 2024


Privacy is a topic that continues to dominate conversations worldwide, and for good reason. In the digital age, the risks associated with identity theft, fraudulent activities, and the misuse of personal information are more prevalent than ever before. This has led to a growing concern among consumers, who are demanding stronger data protection practices and more transparent information sharing.

Based on our experience in supporting privacy programs across many Canadian financial institutions, we believe there are five critical focus areas of utmost importance for Canadian organizations in 2024. By prioritizing these key areas and taking the necessary actions, organizations can build trust and confidence among consumers, while ensuring compliance with both current and future Canadian privacy regulations.

Focus Area 1: Improving Data Retention and Destruction Practices

In 2024, Canadian financial institutions will prioritize evaluating the effectiveness of their data retention practices and governance models. While legislation like Law 25 has emphasized the importance of proper data retention, organizations must also adhere to their own internal data policies and schedules to avoid unnecessarily holding onto personal information.

To support effective data retention and destruction, financial institutions should focus on the following key activities:

  • Policies and Retention Schedules Review: Carefully assess your organization’s internal data retention policies and schedules, ensuring they align with the management of personal information.
  • System Assessment and Gap Analysis: Conduct a thorough analysis of your current system architecture, specifically examining the processes related to data retention and destruction. Compare your findings to your organizational policies and retention schedules to identify any discrepancies that require attention.
  • System Infrastructure Planning: Develop a plan for necessary upgrades to your system infrastructure to align with the standards set by your policies and retention schedules.
  • Controls Establishment: Implement strong control measures to ensure ongoing compliance with your data retention policies. This may involve tools, processes, or procedures to monitor and enforce policy adherence.

Focus Area 2: Privacy Consent

Canadian financial institutions are facing increased customer demand for transparency in the handling of Personal Information (PI). To meet this demand, organizations are examining their customer journeys to better understand data collection, usage, sharing, and retention practices across various channels and products. Law 25 has further emphasized the need for transparent and distinct consent processes.

While Canadian financial institutions have made progress in consent management, there is still room for improvement to ensure effective consent management.

Key Steps for effective consent management include:

  • Consent Journey Mapping: Identify every point where customer consent is obtained regarding personal information. This involves focusing on customer touchpoints and understanding data collection across channels and products. By mapping the customer journey, organizations can make the necessary adjustments to consent language and approach.
  • Documentation Inventory: Maintain a record of contracts and agreements where consent is recorded, whether written or verbal. This helps organizations keep track of how consent has been gained from customers.
  • Disclosures Review: Conduct a comprehensive review of all consent language to ensure it is straightforward and easily understood. Organizations should ensure that privacy consent disclosures are transparent and clear to their customers.
  • Disclosure and Consent Artifact Updates: Update products and channel artifacts, such as applications, account agreements, and digital experiences, where PI is collected. This ensures that the necessary disclosures are clearly communicated.
  • Operating Procedure Updates and Change Management: Update existing operating procedures to meet new requirements, such as disclosures for automated decision-making processes. Communication, training, and reinforcement of expected behavior should be included in the change management approach.

Focus Area 3: Data Portability

Law 25 prioritizes privacy and data control for individuals, particularly through its “Right to Data Portability” requirement. This means organizations must securely and seamlessly transfer a user’s personal information from one service provider to another, upon request.

To meet Law 25’s data portability requirements, Canadian financial institutions should integrate data portability as a natural extension of individual rights. They should also evaluate their data management systems and procedures to efficiently fulfill data portability requests while ensuring compliance, security, and trust.

Actions to consider include:

  • Use Case Analysis: Identify scenarios where your organization processes incoming data and pinpoint potential data portability requests.
  • Communication Inventory: Catalogue the methods and technologies that your organization uses to share PI with customers.
  • Integration Strategy: Plan to incorporate data portability request management within your existing infrastructure, aligning with individual rights and future open banking frameworks.

Focus Area 4: Privacy by Default and Prioritizing User Privacy

In today’s digital world, cookie banners have become more than just a compliance requirement. They now represent user empowerment, granting individuals control over their personal information online and in mobile apps. By offering choices like ‘Accept All’, ‘Reject All’, or ‘Manage Preferences’, these banners allow users to dictate how their information is used. As more businesses adopt these banners, it is crucial to remember that they demonstrate an organization’s commitment to privacy, especially with the new enforcement measures introduced under Law 25.

To ensure compliance with Law 25 and effectively incorporate privacy by default and profiling, Canadian financial institutions should consider the following steps:

  • Catalogue: Create an inventory of all customer and employee-facing domains and applications that store PI.
  • Assess: Evaluate these domains and applications to determine their existing privacy settings and how they align with the highest standards.
  • Recommend: Develop recommendations and solutions to enhance privacy settings, either by setting them to maximum confidentiality internally or by partnering with a vendor for consent management.
  • Choose: Explore service providers that can streamline the implementation of cookie settings and technological applications with the highest levels of privacy.
  • Test and Monitor: Ensure comprehensive testing and monitoring mechanisms are in place before fully deploying the privacy settings.
  • Controls Establishment: Establish robust control measures to maintain compliant privacy practices.

Focus Area 5: Privacy Program Governance

To ensure a seamless experience for customers and employees with respect to collecting, using, and protecting PI, Canadian financial institutions must establish comprehensive governance practices across all business units and channels. This goes beyond mere compliance with legal requirements – it fosters a culture of privacy throughout the organization.

As an organization, here are some considerations:

  • Role Definition: Clearly define roles in privacy management and ensure that stakeholders and businesses understand the impact of privacy on customers and policies.
  • Gap Analysis and Strategy: Assess the current understanding of gaps and develop a strategy for moving forward.
  • Milestone Establishment: Establish clear milestones with specific ownership and deadlines. Additionally, create a proactive plan for any regulatory milestones that have already passed.
  • Solution Implementation: Ensure that privacy solutions are consistently implemented across all channels and business units.

A Final Thought

Canadian financial institutions can stand out by navigating privacy management challenges. Adopting a comprehensive approach that incorporates data retention, privacy governance, and regulatory change considerations can help build a resilient, privacy-conscious culture. Ensure compliance and become leaders in privacy excellence by making privacy a differentiating factor for your organization’s success.

Optimus SBR’s Financial Services Practice

Optimus SBR is an independently owned management consulting firm that works with organizations across North America to get done what isn’t. Our Financial Services Group provides strategic advisory services, process improvement services, risk management services, and project management support to leading Financial Institutions, insurers, asset managers, and pension funds.

Learn how Optimus SBR can assist you in your organization’s privacy journey.

Contact us for more information.

Carolyn Kingaby, Practice Leader, Financial Services

Doug Wilson, Senior Vice President and Technology & Data Practice Lead



Optimus Think