The Personal Information Protection and Electronic Documents Act (PIPEDA) has been law for quite some time, but new federal data breach and compromise notification requirements went into effect November 1st, 2018. PIPEDA applies to all organizations that are federally regulated and fall under legislative authority of the Parliament of Canada, along will all local businesses in Yukon, Nunavut, and the Northwest Territories. PIPEDA also applies to the private sector of each province unless a province has its own privacy law that is substantially similar to PIPEDA (only B.C., Alberta, and Quebec have privacy laws that are “substantially similar”)
So lets start with the basics, the 10 Privacy Principles of PIPEDA are a critical part of Canadian privacy law for the private sector. They are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
Along with these foundational rules, which you can read here, breach notification regulations have been added on November 1st 2018. In line with GDPR, these new laws will require companies to report to affected individuals in the event of a security breach involving any personal information that creates “real risk of significant harm”.
With three key new record-keeping, reporting, and notification obligations, the new PIPEDA takes a lot of inspiration from privacy laws around the world – specifically GDPR & CCPA.
Organizations will now have to document every instance of a security breach, regardless of significance or risk to an individual. They will have to hold onto records of a breach for 24 months, and also provide the Privacy Commissioner with a copy of the record.
In addition to reporting to the Privacy Commissioner, organizations must also notify all affected individuals in a way that allows them to understand the significant of the breach and outline any possible steps to mitigate the risk of harm to the individual. The organization must give direct notification; email, telephone, or in person if the individual has consented to it. They can only give indirect notification, like a posting on their website, if direct notification would cause further harm, giving direct notice is prohibitive for the organization, or if they have invalid contact information.
What happens if you don’t comply?
Failure to meet any of the breach reporting and notification requirements can lead to organizations, or even directors personally, to fines of up to $100,000. Also, organizations can be subject to a civil lawsuit, which is known to decimate a small business and take a chunk out of a large one. Also, most breaches reported to the Privacy Commissioner require an investigation – usually time-consuming and costly, this can cause damage to your public reputation.
What should we do?
The new additions to PIPEDA closely resemble the rules and regulations found in GDPR, so we must draw upon what we learned to fully thrive in the new privacy landscape.
Organizations need a next generation solution, an all-in-one platform that will allow them to not just handle the new age of Data Governance but thrive in it. Secure data, next gen access governance, and controlled distribution will allow businesses to gain that competitive advantage.