• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / How does the new anti-spam legislation affect IT processes?

By Jeffrey Sherman, MBA, FCPA, FCA | 2 Minutes Read September 2, 2014

How does the new anti-spam legislation affect IT processes?

Canada’s new anti-spam legislation (commonly known as CASL) is now in effect, and the Canadian Radio-television and Telecommunications Commission (CRTC) has the authority to regulate the law, specifically commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity.
The fundamental underlying principle in the new statute is that such activities can only be carried out with consent. Commercial electronic messages that are regulated under the new legislation include any type of electronic messages sent to Canadians, including email, text messages and messages sent through social media.
The CRTC has created guidelines that go beyond the legislation. The CRTC’s guidelines represent a complex and bureaucratic approach to compliance with CASL. It remains to be seen whether they will be widely followed, but they certainly represent a gold standard for compliance.
It should be clear that managing your anti-spam obligations will mean modifying your information technology processes. Information Technology PolicyPro is monitoring developments to consider how the CRTC guidelines could be implemented by small and medium businesses in a practical and efficient manner.
The guidelines set out eight elements for a compliance program.

1. Senior management involvement

Senior management should actively encourage compliance. A chief compliance officer should be responsible and accountable for developing, managing and executing the program. Smaller businesses should establish a contact person who is responsible and accountable for compliance with CASL.

2. Risk assessment

A risk assessment should be conducted to determine if any business activities are at risk for violating CASL. Policies to mitigate risks should be developed and applied.

3. Written corporate compliance policy

Organizations should develop and implement a written corporate compliance policy. The model policy included with Information Technology PolicyPro contains essential elements of the CRTC’s guidelines such as internal procedures for compliance and related training; auditing and monitoring mechanisms; procedures for dealing with third party compliance; record keeping, especially with respect to consent; and a mechanism to allow employees to provide feedback to the chief compliance officer or point person.

4. Record keeping

Records should be maintained of policies and procedures; unsubscribe requests and actions; evidence of express consent; recipient consent logs; unsubscribe requests staff training documents; and official financial records.

5. Training

A training program, including refresher training, should be developed, and there should be situational training that links daily activities to the policies and procedures. Employees should provide written acknowledgement that they understand the corporate compliance program. The business should monitor employee comprehension of the policy and evaluate the effectiveness of the training at regular intervals, updating as necessary.

6. Auditing and monitoring

Auditing should be undertaken at regular intervals and may involve developing a quality assurance program that monitors the email marketing campaigns. Recommendations resulting from the audit should be reviewed and adopted.

7. Complaint-handling system

A complaint-handling system that allows customers to submit complaints should be put in place.

8. Corrective action

Businesses should establish an organizational disciplinary code to address contraventions. As appropriate, businesses should take corrective or disciplinary action, or provide refresher training. Records of contraventions and actions taken in response should be maintained.

  • About
  • Latest Posts
Jeffrey Sherman, MBA, FCPA, FCA
CFO at Atrium Mortgage Investment Corporation (TSX:AI)
Jeffrey is CFO of Atrium Mortgage Investment Corporation (TSX:AI), a director of several companies and has had over 20 years of executive management experience. His interests include corporate governance, risk management, accounting and finance, restructuring and start-up enterprises.

Jeffrey is a popular presenter, and was an adjunct professor at York University for 15 years. He is a frequent course director and course author for many organizations, including provincial bodies of Chartered Professional Accountants across Canada.

He has written over 20 books including: Canadian Treasury Management, Canadian Risk Management, and Financial Instruments: A Guide for Financial Managers (all published by Thomson-Reuters/Carswell), as well as Finance and Accounting PolicyPro and Information Technology PolicyPro (guides to governance, procedures, and internal control), and Cash Management Toolkit for Small and Medium Businesses (all published by Chartered Professional Accountants of Canada [CPA Canada]).
Latest posts by Jeffrey Sherman, MBA, FCPA, FCA (see all)
  • How does IT recovery planning differ from business continuity planning? - August 4, 2015
  • How to manage bank accounts: the basics - July 6, 2015
  • Refresher on financial statistics and metrics - April 6, 2015

Article by Jeffrey Sherman, MBA, FCPA, FCA / Business, Information Technology, Privacy / Anti-spam, auditing, Canada anti-spam legislation, Canadian Radio-television and Telecommunications Commission, CASL, commercial electronic message, complaint handling, compliance, corrective action, CRTC, CRTC guidelines, Information Technology PolicyPro, ITPP, Monitoring, policies and procedures, record keeping, risk assessment, senior management, social media, training, written policy

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Jeffrey Sherman, MBA, FCPA, FCA

Jeffrey is CFO of Atrium Mortgage Investment Corporation (TSX:AI), a director of several companies and has had over 20 years of executive management experience. His interests include corporate governance, risk management, accounting and finance, restructuring and start-up enterprises.

Jeffrey is a popular presenter, and was an adjunct professor at York University for 15 years. He is a frequent course director and course author for many organizations, including provincial bodies of Chartered Professional Accountants across Canada.

He has written over 20 books including: Canadian Treasury Management, Canadian Risk Management, and Financial Instruments: A Guide for Financial Managers (all published by Thomson-Reuters/Carswell), as well as Finance and Accounting PolicyPro and Information Technology PolicyPro (guides to governance, procedures, and internal control), and Cash Management Toolkit for Small and Medium Businesses (all published by Chartered Professional Accountants of Canada [CPA Canada]).

Reader Interactions

Comments

  1. David Collier-Brown says

    September 2, 2014 at 12:27 pm

    Ironically, the amount of organization effort is far larger than the technical effort. In my current job, the database contains a date of last acceptance, and the login code checks to make sure it’s newer than the date the terms and conditions last changed. If not, the person gets sent to the T&C page to agree or disagree. That’s one if-statement and a page with two push-buttons.
    The checking to make sure that’s both necessary and sufficient is genuinely larger, but the cost of staying compliant is really really small.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy