First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How does the new anti-spam legislation affect IT processes?

Canada’s new anti-spam legislation (commonly known as CASL) is now in effect, and the Canadian Radio-television and Telecommunications Commission (CRTC) has the authority to regulate the law, specifically commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity.

The fundamental underlying principle in the new statute is that such activities can only be carried out with consent. Commercial electronic messages that are regulated under the new legislation include any type of electronic messages sent to Canadians, including email, text messages and messages sent through social media.

The CRTC has created guidelines that go beyond the legislation. The CRTC’s guidelines represent a complex and bureaucratic approach to compliance with CASL. It remains to be seen whether they will be widely followed, but they certainly represent a gold standard for compliance.

It should be clear that managing your anti-spam obligations will mean modifying your information technology processes. Information Technology PolicyPro is monitoring developments to consider how the CRTC guidelines could be implemented by small and medium businesses in a practical and efficient manner.

The guidelines set out eight elements for a compliance program.

1. Senior management involvement

Senior management should actively encourage compliance. A chief compliance officer should be responsible and accountable for developing, managing and executing the program. Smaller businesses should establish a contact person who is responsible and accountable for compliance with CASL.

2. Risk assessment

A risk assessment should be conducted to determine if any business activities are at risk for violating CASL. Policies to mitigate risks should be developed and applied.

3. Written corporate compliance policy

Organizations should develop and implement a written corporate compliance policy. The model policy included with Information Technology PolicyPro contains essential elements of the CRTC’s guidelines such as internal procedures for compliance and related training; auditing and monitoring mechanisms; procedures for dealing with third party compliance; record keeping, especially with respect to consent; and a mechanism to allow employees to provide feedback to the chief compliance officer or point person.

4. Record keeping

Records should be maintained of policies and procedures; unsubscribe requests and actions; evidence of express consent; recipient consent logs; unsubscribe requests staff training documents; and official financial records.

5. Training

A training program, including refresher training, should be developed, and there should be situational training that links daily activities to the policies and procedures. Employees should provide written acknowledgement that they understand the corporate compliance program. The business should monitor employee comprehension of the policy and evaluate the effectiveness of the training at regular intervals, updating as necessary.

6. Auditing and monitoring

Auditing should be undertaken at regular intervals and may involve developing a quality assurance program that monitors the email marketing campaigns. Recommendations resulting from the audit should be reviewed and adopted.

7. Complaint-handling system

A complaint-handling system that allows customers to submit complaints should be put in place.

8. Corrective action

Businesses should establish an organizational disciplinary code to address contraventions. As appropriate, businesses should take corrective or disciplinary action, or provide refresher training. Records of contraventions and actions taken in response should be maintained.

Follow me

Jeffrey Sherman

Chief financial officer, author, lecturer and professor focussing on corporate finance at Atrium Mortgage Investment Corporation, Canadian Mortgage Capital Corp., Trimel Pharmaceuticals Corporation, and Anagram Services
Jeffrey D. Sherman, BComm, MBA, CIM, FCA, is a director or CFO of several public companies and has had over 20 years of executive management experience. He is the author of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro and Information Technology PolicyPro (guides to governance, procedures and internal control, all published by First Reference and the CPA). Read more
Follow me

, , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.

One thought on “How does the new anti-spam legislation affect IT processes?
  • Ironically, the amount of organization effort is far larger than the technical effort. In my current job, the database contains a date of last acceptance, and the login code checks to make sure it’s newer than the date the terms and conditions last changed. If not, the person gets sent to the T&C page to agree or disagree. That’s one if-statement and a page with two push-buttons.

    The checking to make sure that’s both necessary and sufficient is genuinely larger, but the cost of staying compliant is really really small.