I think somebody should be responsible for privacy, and that's already in our legislation. They do need to have policies, but they don't need to be written, according to Alberta's PIPA. I can't speak for PIPEDA or B.C.'s PIPA. I think any legislation of a requirement to have a privacy management program does require that some mindfulness be given to scaling such a program to the organization. I'm not sure that these small organizations shouldn't be concerned about privacy, because it could be a very small organization with only two employees collecting, say, credit card information. As a consumer, I would want to know that if I'm giving my credit card information to this very small organization, they have an obligation to safeguard that information. I do think it's scalable.
On February 21st, 2017. See this statement in context.