Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.
Everyone’s talking about Porter Airlines’ recent agreement to pay a $150,000 penalty for various CASL violations. Porter is a sophisticated marketer yet slipped up, so other organizations are now wondering what whether they are similarly exposed. (Perhaps this was the CRTC’s enforcement aim.)
CASL is a regulatory instrument that includes a due diligence defence. In other words, organizations can violate the act without liability if they have taken all reasonable steps to avoid the violation.
Due diligence is about using good, systematic processes to avoid bad things. Here’s a simple process for due diligence that me and my colleagues have employed and continue to employ with our clients:
- Define your operational units and prioritize them in accordance with risk
- If you can’t do them all, select key units for review
- Identify a key individual for each unit, someone with the best knowledge of messaging practices
- Ask the key individual to complete (in writing) a list-centric survey – a survey that aims to gather some basic information about all formal and informal address lists (It’s easier to identify lists than activities.)
- Review the survey response and applicable website or sites and follow-up in writing with questions that help close major gaps
- Have a telephone call to confirm understanding and discuss potential compliance issues
- Draft a compliance memo – a point-form document that identifies the steps taken in the compliance review, the activities of concern and the compliance advice
- Conduct any follow-up information gathering in response to the memo
- Send the memo the the key individual for feedback on completeness
- Finalize the memo
This is a not a difficult or costly process for review and remediation, though you should also budget for (a) some project management costs for a multi-unit review and (b) some multi-unit training, which is normally an appropriate follow-up to the review and remediation process.
If the Porter agreement is causing you worries, following a process like this is well worth it.