What Canada’s new federal data breach regulations mean for your business

What Canada’s new federal data breach regulations mean for your business

One of government’s most critical roles is to protect an individual citizen’s rights, especially privacy.

Why is privacy important?

As Canadians, we have the right to choose what we want to disclose or not disclose, especially information about ourselves. Personal information must be protected from unauthorized access. If your credit card information is stolen, then the thief can make purchases using your money and your name. We trust our doctors to keep our health information confidential because certain illnesses carry social stigma with them, and their revelation can cause employment discrimination.

Privacy allows us to be selective in relaying different aspects of ourselves to different people. What we share with a friend can be dramatically different to what we share with our spouse, which can also be very different to what we let our co-workers know about ourselves.

In the same manner, we disclose personal information to businesses and organizations we deal with all the time — it’s how we’re able to build relationships and transact with one another. However, in exchange for our information, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires those firms to keep the information we share with them private.

Furthermore, if a firm does experience a data breach, they must do the following:

  1. Report it to the Privacy Commissioner of Canada – If the breach carries real risk of serious harm to an individual, the firm must disclose the breach to the Commissioner;
  2. Notify the individuals affected by the breach – The firm must help the people involved understand how the breach affects them (e.g., they may fall victim to identity theft) so they can take proper measures to mitigate the damage that the breach can cause; and
  3. Keep records of each security breach – The organization must do this for all data breaches and not just for those deemed to pose risks to individuals. These records must be available to the Commissioner upon request, as well as have enough information to show to the Commissioner that it is indeed complying with breach reporting and notification regulations.

What do these mean for my business?

Below are important action items that you must implement immediately for trouble-free compliance:

  1. Hire or designate someone as your privacy officer – As required under PIPEDA, your firm must have a privacy officer that fulfills the following duties:
    • Developing, implementing, and maintaining a privacy policy and incident plan;
    • Managing privacy and security training and awareness programs throughout the organization;
    • Liaising with cybersecurity experts to perform preventive measures such as vulnerability audits and penetration tests; and
    • Liaising with the Office of the Privacy Commissioner (OPC) and other regulators during data breach investigations.
  2. Perform regular data audits and implement access management protocols – Your vulnerability to data breaches can be reduced if you know the types of information you’re collecting as well as how you collect, store, and destroy data. Access to information must be well-regulated, both within the organization and with external parties, such as contractors.
  3. Review your contracts and update vendor agreements for PIPEDA compliance – Commence with your due diligence process immediately, and have your business partners sign privacy addendums if the provisions in prior agreements are lacking. Your firm remains culpable even if a breach of security safeguards occurs via a third-party vendor, so have each partner comply to PIPEDA or replace the ones that won’t do so.
  4. Develop and regularly update a security breach response plan – Set up the processes for containing and fixing security issues as well as fulfilling the breach notification obligations listed above.

Complying with Canada’s changing federal data regulations is an involved but important task that can prove difficult to maintain day after day. For your peace of mind, come talk to our cybersecurity experts at XBASE Technologies. As a managed IT services provider for many organizations across Toronto and Ontario, we’ll apply the same cybersecurity best practices for your firm as well.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts