dominic jaar lexper kpmg casl

Canadian Canadian Anti-Spam Anti-Spam Legislation Legislation ReadinessReadiness

April 29th, 2014

Compliance Compliance by Designby Design

© 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

3

Current Current Market Market MaturityMaturity


5

Level 2 describes situation where Organization have compliance practices that are ill-defined and largely ad hoc in nature in regard to CASL.

Level 2 describes situation where Organization have compliance practices that are ill-defined and largely ad hoc in nature in regard to CASL.

Level 3 describes Organization is in the process of formalizing compliance measures for CASL.Level 3 describes Organization is in the process of formalizing compliance measures for CASL.

Level 4 describes situation that Organization have set up documented compliance measures for CASL. Level 4 describes situation that Organization have set up documented compliance measures for CASL.

Level 5 describes Organization having measurable processes to ensure they are compliant with the CASL and leveraging them in a competitive fashion.

Level 5 describes Organization having measurable processes to ensure they are compliant with the CASL and leveraging them in a competitive fashion.

Level 1 describes situation where Organization do not have any policy, procedure or system to comply with the Canadian Anti-Spam Legislation (CASL).

Level 1 describes situation where Organization do not have any policy, procedure or system to comply with the Canadian Anti-Spam Legislation (CASL).

CASL Maturity LevelsCASL Maturity Levels

Level 5 (Measurable)

Level 4 (Compliant & documented)

Level 3 (In development)

Level 2(Ad hoc)

Level 1(Non existent)


6

Maturity Assessment Executive SummaryMaturity Assessment Executive Summary

The Capability Maturity Model outlines varying levels of organizational CASL-related governance, processes, technological and people maturity and the activities and traits per maturity level.

The Capability Maturity Model outlines varying levels of organizational CASL-related governance, processes, technological and people maturity and the activities and traits per maturity level.

Ad hocAd hoc

In developmentIn development

Compliant and documented

MeasurableMeasurable

Non existentNon existent

Business and IT processes are optimized and strategically aligned with CASL Automated and preventative controls to protect and manage information assets are pervasive

in the environment. Compliance requirement exercises are routine and require minimal effort. Tracked training and awareness. Valued information is referenced when establishing communications and CASL strategies

and decisions. Enterprise communications metrics are defined, measured and subject to continuous

improvement. Active participant in external regulatory development and direction. Complete integration with Governance, Risk and Compliance capabilities.

Communication channels are defined and the persons responsible for these are identified. Processes and controls are well defined and align to the value and risk of communications in

a CASL context. Technology is utilized for key stages of CASL compliance Communications and CASL awareness programs are conducted regularly. Business critical communications are used to support CASL decisions. CASL metrics are defined and measured.

The organization understands the value and risk of select communications. Strong controls are in place regarding commercial communications. Content and consent validation for communications are defined and applied consistently

across the enterprise. Risk assessments and audits are performed to understand communication risks. Management understands compliance requirements and their impacts on the organization’s

communications Management establishes core capabilities to oversee governance initiatives. Ownership of communication channels is informally defined. Approach to communication channels as part of CASL compliance is limited to basic

controls. Limited process and controls documentation exists. Management is aware of required organizational compliance mandates at a high-level. Management has recognized governance needs but has not provided full support. Limited or no controls are in place for CASL and communications management. Process and controls documentation is ad hoc and dispersed. Management has minimal to no understanding of required organizational compliance

mandates.

Time

Maturity

People

Technologies

Governance

Processes


7

CommunicationsCommunications

4.Which method(s) will your company use to send CEMs to third parties following July 1, 2014 (multiple choice):

Instant messaging

Text Message (SMS, MMS)

Other

Personal or Instant Message (on a computer network)

Via other online services (e.g. web forums, portals)

Via social networks (e.g. Facebook, LinkedIn, etc.)

Email


8

ExceptionsExceptions

To what extent will your company rely on the “business card exception” (where

the recipient’s electronic address was disclosed to the sender) implicit consent provision?

To what extent will your company rely on the “published electronic address” (where

the recipient’s electronic address is “conspicuously published”) implicit consent provision?

To what extent will your company rely on the “existing business relationship” implicit

consent to send CEMs?

We will rely on it when we cannot assert an express consentWe will rely on it

We will rely on it and prefer it to express consent when we can


9

UnsubscribeUnsubscribe

Will an unsubscribe mechanism be inserted at the end of all emails sent, whether or not it qualifies as a CEM?

Yes, only for emails sent from sales, marketing or similar departments

or business units

Do not know

No

Yes, for emails sent by all employees


10


Will unsubscriptions cover all CEMs or a choice will be offered to opt-out from only selected CEMs?

20%

40%

40%

It will depend on the particulars of the request (for insUnsubscriptions will cover only the type of communicationUnsubscriptions will cover all CEMs


11


How are unsubscribe requests currently mostly processed:

How will unsubscribe requests be processed after July 1st, 2014? (multiple choice)

Do not know

No unsubscribe mechanism yet

Manually

Automatically

Do not know

No unsubscribe mechanism

Manually

Automatically

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Dominic JaarPartner, KPMG Canada

National Leader, InformationManagement Services

(416) [email protected]

dominic jaar lexper kpmg casl

Business

casl decisions

casl metrics

casl automated

casl strategies

casl context

development level

measurable level

kpmg llp