Privacy Management Plan


The intention of this document is to describe how Krystina Marie Photography & Design intends to fulfill its privacy compliance obligations as a company.




Krystina Marie Photography & Design is committed to promoting best practices in privacy compliance as an organization. The Privacy Officer will encourage all people and organizations working with the company to consider privacy implications to all internal and external transactions.


Krystina Marie Photography & Design will appoint a Privacy Officer for the company and will ensure that they have the proper resources and authority to carry out their duties. The Privacy Officer is responsible for overseeing the development, implementation and maintenance of the organization’s privacy management program.


These responsibilities of the Privacy Officer include the following:


  • Monitoring and updating personal information inventory continuously to keep it current and identify and evaluate new collections, uses and disclosures;
  • Reviewing and revising policies as needed following assessments or audits, in response to a breach or complaint, new guidance, industry-based best practices, or as a result of environmental scans.
  • Conducting privacy impact assessments and security threat and risk assessments so that the privacy and security risks of changes or new initiatives within the organization are always identified and addressed.
  • Reviewing and modifying training and education on a periodic basis as a result of ongoing assessments and communicating changes made to program controls.
  • Reviewing and adapting breach and incident management response protocols to implement best practices or recommendations and lessons learned from post-incident reviews.
  • Reviewing and, where necessary, revising requirements in contracts with service providers.
  • Updating and clarifying external communication explaining privacy policies.


The Privacy Officer of the company shall be the Operations Manager until such time as the CEO otherwise determines.


Krystina Marie Photography & Design is able to identify the personal information in its custody or control, its authority for the collection, use and disclosure of the personal information, and the sensitivity of the personal information. Privacy law is focused on the protection of personal information. In Canada, any information that can be used to identify an individual, either by itself or in combination with other information, is defined as personal information.


Personal information can include the following information but this list is not exhaustive:


  • Name;
  • Home address;
  • Home phone number;
  • Personal email address;
  • Image;
  • Names of family members and relationship;
  • Date of birth;
  • Financial information (including bank branch, bank account #, credit card #, etc.)


Privacy Officer Training


The Privacy Officer shall complete such training and professional development as they deem appropriate to keep up to date with best practices for privacy compliance.



Completing a Privacy Impact Assessment


The Privacy Officer shall complete a Privacy Impact Assessment in the form attached as Schedule A whenever a new project or a new system is implemented that needs to be evaluated from a privacy compliance lens.



Implementing Privacy Policies and Practices


The following company policies have been implemented and are the responsibility of the Privacy Officer to review and update as necessary on a regular basis:


  1. Website Privacy Policy
  2. Website Terms of Use
  3. Employee NDA
  4. Contractor NDA
  5. Technology Acceptable Use Policy


Privacy Breach Management Plan


The Privacy Officer shall maintain and implement as necessary a privacy breach management plan for the company.


The Privacy Breach Management Plan shall consist of the following four steps:


  1. Identify the privacy breach.
  2. Evaluate the risks. Within 48 hours of being informed of a privacy breach, the Privacy Officer shall take all appropriate steps to evaluate the risks of the breach including identifying the types of information disclosed, the causes of the breach including evaluation of technology and whether the cause was an error or a malicious act and the size of the breach. The Privacy Officer may need to engage external expertise as required to complete this investigation and evaluation.
  3. Notify any appropriate parties of the breach. - The Privacy Officer must determine whether any notification is required under applicable privacy legislation to parties whose personal information or confidential information has been involved in the breach. The form of notification (email, letter etc.) will be chosen and notification will be sent within 4 weeks of the breach being identified. The Privacy Officer will document all decisions made about notification and notices sent.
  4. Take preventative measures to prevent the breach from happening in the future - Within 2 months of the breach occurring, the Privacy Officer will conduct a review of the Privacy Management Plan and do a debrief of the privacy breach incident with appropriate persons within the organization. The Privacy Officer will determine whether additional policies, training, resources or technology solutions are required to prevent and contain future privacy breaches.