Recently, we ran a LinkedIn poll asking professionals who should be most responsible for data privacy in a business. The results were striking: 83% said “all employees.” IT and leadership trailed far behind, and external vendors received no votes.
At first glance, this may seem obvious — of course everyone should care about privacy. But in regulatory environments, that answer reflects a more complex reality about how privacy responsibilities must be shared and operationalized.
Our poll results highlight that most professionals believe data privacy should be an organization-wide responsibility. While our results are based on a limited sample, the goal was to shed light on the importance of data privacy. In regulated fields like insurance, where personal, business and sensitive data is constantly flowing, taking privacy seriously isn’t just good ethics, but it’s vital to protecting clients, maintaining trust, and ensuring compliance with privacy regulations such as PIPEDA and other provincial requirements. ⚠️ Note: This article touches on just one piece of a highly complex matter — organizational privacy responsibility. Full compliance involves legal, technical, operational, and cultural considerations.
Understanding Privacy Responsibilities
Like most Canadian businesses, insurance companies and brokerages operating in Ontario must comply with privacy laws governing the collection, use, and disclosure of personal information. For most private sector organizations, the relevant law is the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, organizations are responsible for personal data under their control and must implement appropriate safeguards. That accountability is not passive: it means businesses must designate individuals, establish policies, and ensure ongoing compliance. At the same time, privacy protections are not purely technical. They also involve:- Policies, training, and awareness for employees.
- Roles and procedures for handling personal information safely.
- Incident response and reporting that include all relevant staff.
Why Not Just IT or Leadership?
IT teams are essential for implementing technical protections (e.g., encryption, secure access control, monitoring, backups), but these tools are only effective if everyone treats personal data properly. Similarly, leadership must set strategy, allocate resources, and ensure legal compliance. But without employees knowing how to handle data day-to-day, privacy risks remain. The poll’s consensus — “all employees” — reflects this shared model of responsibility. The most effective privacy practices depend on a culture where everyone understands:- What counts as personal information.
- How it should (and shouldn’t) be used.
- What to do if there’s a concern or potential breach.
Our poll results highlight that most professionals believe data privacy should be an organization-wide responsibility. While our results are based on a limited sample, the goal was to shed light on the importance of data privacy. In regulated fields like insurance, where personal, business and sensitive data is constantly flowing, taking privacy seriously isn’t just good ethics, but it’s vital to protecting clients, maintaining trust, and ensuring compliance with privacy regulations such as PIPEDA and other provincial requirements. ⚠️ Note: This article touches on just one piece of a highly complex matter — organizational privacy responsibility. Full compliance involves legal, technical, operational, and cultural considerations.