PIPEDA Compliance Update for November 1 2018


PIPEDA Compliance Update - What You Need to Know Before November 1 2018


When it comes to data privacy compliance in 2018, the EU’s adoption of the General Data Protection Regulation (GDPR) has received nearly all of the press given the punitive ramifications of not following suit. While Canadian businesses have rightfully scrambled to meet GDPR standards, there has been some neglect within our very own country. While all businesses with Canadian interests understand that compliance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is mandatory, few have been keeping up to date on recent developments regarding PIPEDA. Again, this is understandable given that national and international media alike has been so focused on the GDPR that they haven't dedicated much towards this side of the pond. Fully Managed however, has not been as quiet on the home front.


All summer long we have reported on the impending PIPEDA update, including within this article on enterprise data security solutions. What update you ask? As of November 1st 2018, organizations subject to The Personal Information Protection and Electronic Documents Act will be required to comply with mandatory reporting of breaches of security safeguards. Today, we’re going to review exactly what your own organization needs to know.


What Your Business or Organization Needs to Know to Prepare for the November 2018 Update to Canada’s PIPEDA Policy


It is Now Mandatory to Report Security Breaches


It’s understandable for organizations to not want to disclose a data breach event given the public relations backlash that can follow. However, full disclosure serves the greater good and therefore the federal government (via the Privacy Commissioner of Canada) is now making it mandatory with the following obligations:

  • Organizations must report all breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada.

  • Organizations must also notify affected individuals about those breaches.

  • Organizations must keep records of all breaches.



The Definition of a Security Breach


According to PIPEDA, a beach of security safeguards is defined as such:


“The loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards”


A little fuzzy? To be honest, Clause 4.7 isn’t all that explicit itself, with suggested primary methods of protection listed as:


        (a) physical measures, for example, locked filing cabinets and restricted access to offices;

        (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and

        (c) technological measures, for example, the use of passwords and encryption.


While it’s nice to get a heads up about locking your filing cabinets, allow us to provide a more modern definition of a security breach.


Essentially, a breach involves unauthorized access to your organizational data, access that can be achieved by hacking into systems where which personal information resides, regardless of the intent of use. And yes, that means a ransomware attack is absolutely considered a breach under PIPEDA.


Simply put, if someone on your staff today clicks a link and a malicious script downloads a ransomware payload and it is not quarantined prior to execution, you will have to fill out this PIPEDA breach report right away.


Organizations That Are Subject to PIPEDA


It’s not just large and enterprise level businesses that need to be concerned about PIPEDA compliance. Small and medium business alike must also comply with current and up and coming requirements. That includes strict adherence to reporting, notification, and recording of breaches. For example, if you own a coffee shop and you use your website to grab user emails as a part of a customer loyalty program and your site is hacked, you will need to follow PIPEDA protocol and report this event to the Privacy Commissioner of Canada along with every single customer whose information may be compromised. No business that collects personal data from Canadians is free from these new requirements.



PIPEDA Fines Can Shut Down Your Business


The Privacy Commissioner of Canada wants you to take these updates very seriously and have prescribed fines accordingly. After all, they see any failure to comply with breach reporting, notification and record-keeping to be a knowingly contravening action. That’s a fair assessment. So how big are these fines?


Penalties running up to $100,000 per violation may be imposed when a business or organization knowingly violates the breach notification requirements. Like with any new regulatory law, you can expect the Privacy Commissioner of Canada to be looking to make early examples out of those who fail to meet the new guidelines soon after November 1. Most small to medium business can’t afford to lose $100,000 (per violation), so be sure to stay on top of breach awareness and identification and the subsequent PIPEDA protocol.


You Need to Find a Partner to Help You Achieve and Maintain Compliance


While we encourage you to become a bit of an expert on the November 2018 PIPEDA update by reviewing this information, it’s important to remember one key thing - the only way to hedge the risk of violating the new mandatory breach reporting protocol, is to not get breached in the first place.


How do you accomplish this? Through the following initiatives:


Do the action items above seem daunting? They absolutely can be if you attempt to go at them alone. But in following them, you will significantly reduce the risk of a data security breach, the direct fallout, and the punitive measures that can come from not complying with regulatory bodies, GDPR and PIPEDA included.


As Canada’s premier IT support firm with extensive experience in helping businesses and organizations institute stringent cybersecurity protocol while adhering to compliance needs, Fully Managed will provide your organization with complete peace of mind. Whether you find this article before November 1 2018, or after, the time to contact Fully Managed to discuss what we can do for you, is now. Contact us today.