Canada’s New Data Breach Regulations: What You Need to Know

By Aaron Martin - 27 Aug 2018


Got customers in Canada?

Consider this your chance to get a jump on the newest update to Canada’s new privacy law PIPEDA (officially known as The Personal Information Protection and Electronic Documents Act). Effective November 1st, 2018, Canada will enact its Breach of Security Safeguards Regulations under PIPEDA, which updates existing privacy laws and establishes new legal requirements for private sector businesses who experience a security breach.

Although it was published back in April of 2018, the PIPEDA update hasn’t gotten a lot of press - but that doesn’t mean businesses can plead ignorance come November if they're not compliant.

If you believe your business operations fall under PIPEDA’s jurisdiction, here’s how you can prepare for the new law:

  • Prepare to report all security breaches - Businesses will be required to notify the Canadian Privacy Commissioner and their customers about ANY security breach that poses a “risk of significant harm” to an individual. Doing so will involve conducting a risk assessment to determine if the data is sensitive and if it could harm affected individuals. Details of the breach must be reported in writing - both to the Canadian Privacy Commissioner and to the affected individual(s). In addition, any third-party organisations that can assist the business in “mitigat[ing] harm to affected individuals” must be notified as well.

  • Implement strict recordkeeping - Obviously, to comply with the above, businesses need to know what data they have, who is handling that data and where it is going, etc. Moreover, in the event of a breach, PIPEDA will require businesses to retain a record of any breach for at least two years after it occurred. Running a tight ship with regard to data management is the best way to comply with the new regulations, increase trust with your customers and avoid the financial consequences of a breach.

  • Update policies & procedures - For those organisations (especially startups) that haven’t drafted a data breach policy yet, now is an excellent time to get that wrinkle straightened out because it could become a bigger one come November. If you already have data breach documentation in place, you are ahead of the game but you likely will still need to update it to reflect the new regulations, including mandatory reporting.

  • Draft a breach response plan - Do you know who will be your first responders to a data security breach? Who contacts the affected parties? In order to respond to a breach in a way that will potentially reduce the damage, and keep you out of trouble with the federal government, having a breach response plan is a must.

  • Train staff - All personnel need to be aware of the new PIPEDA regulations and what it means for them, regardless of their role. That’s not to say they need to read the law in full, but they should know their role in keeping your data secure. This includes understanding the risks that may lead to a breach.

Note - it may interest you to know that not all territories are affected...if your business activities are located solely in Alberta, Quebec, or British Columbia, you are already beholden to their existing equivalent legislation.

Naturally, the best way to approach PIPEDA is to keep your data secure in the first place, but preventing a security breach requires more than just a concerted effort by all staff. Sound data security also requires a comprehensive, systematic approach that not all organisations are equipped to deliver. As we saw when the European Union’s General Data Protection Regulation went live, small-to-medium enterprises in particular aren’t always equipped with the knowledge base to effectively combat the myriad risks out there, nor do they have the legal expertise to address their requirements under each new piece of legislation that comes into force.

If you have questions about your regulatory responsibilities or how to put together an effective data breach response, our team of experienced consultants can help. Feel free to get in touch with us via our 'Contact Us' page for any data privacy questions you may have. We look forward to chatting with you.