In November 2018, certain amended provisions of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) take effect. Mandatory breach reporting and record-keeping provisions come into force Nov. 1, requiring businesses to update their breach readiness and response efforts in order to comply with new notification obligations.
Although passed into law as a PIPEDA amendment in 2015 (See Senate Bill S-4), the Digital Privacy Act provisions related to breaches had not yet come into force. Only in September 2017 did the Canadian government release a draft of proposed breach reporting provisions. Not long after news broke of the Cambridge Analytica-Facebook scandal broke in March 2018, the government subsequently announced these rules will come into effect on Nov. 1.
As a result, businesses will now be required to report any “breaches of security safeguards” that might cause “real risk of significant harm” to individuals. Organizations will also be subject to a two year record keeping requirement related to every breach involving personal information under their control. Reports must be made to the Office of the Privacy Commissioner “as soon as feasible,” along with notification to affected individuals. The provisions outline in detail what the notice(s) must contain.
Preparing for a breach
The idea of mandatory breach notification is not new for organizations operating in either the U.S. or EU. All U.S. states now have breach reporting requirements, and the GDPR is even more prescriptive. In fact, many elements of the 2015 amendments to PIPEDA follow the spirit of GDPR, in line with a growing global trend towards enhanced privacy rights for individuals and consumers. Organizations operating in Canada should consider global regulation in addition to local law as they prepare their privacy compliance regimes.
Understanding the law – what North American organizations need to know about data privacy
Intelligent organizations know the value that data provides to their business. Increasingly though, such data also poses a risk. New privacy laws amidst constantly changing technology continue to demonstrate flaws in security and risk management. To help better understand the legal landscape, IT Governance USA, the leading provider of cybersecurity expertise and solutions, is pleased to announce a free webinar series to help North American organizations with their data protection compliance projects. The first webinar, “Do I need to comply with the GDPR? What North American organizations need to know about data privacy,” will be held Tuesday, October 9, 2018, 1:00 pm-2:00 pm EDT. Register now.
Visit our data breach reporting page to understand more about what you need to do. If you still have any questions, contact our team for friendly, expert advice.