Provisions of Canada’s federal Digital Privacy Act related to mandatory breach reporting and record keeping come into effect November 1, 2018.
In 2015, Canada passed the Digital Privacy Act, an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA). However, while most provisions of the Digital Privacy Act came into effect immediately, the provisions related to mandatory breach reporting and record keeping were delayed until November 1, 2018. The key components of these provisions include:
Mandatory Notice Requirement: Notice must be given to breached individuals and organizations as well as the government where “real risk of significant harm” exists. This notification must be given “as soon as feasible,” post-breach and must contain information that informs the breached party of the significance of the breach and what steps to take to reduce the risk of harm or mitigate it.
Heightened consent: Organizations are required to tell individuals about the information they collect, how it is used and to whom it is disclosed. There are specific mandates for children and other vulnerable individuals. Exceptions include consent requirements when managing employees, fraud investigations, work product information, and certain business transactions.
Mandatory record keeping: Organizations are required to maintain a record of every breach of their controls where personal information is impacted. This applies to all breaches, irrespective of whether or not there was a “real risk of significant harm.”
Enforcement and penalties: Knowing violations of breach reporting or mandatory record keeping requirements may result in fines ranging from a $10,000 to $100,000.
Commissioner publication: The Privacy Commissioner of Canada reserves the right to publish any information disclosed via mandatory breach reporting or record keeping disclosure.
Plan now for the mandatory breach reporting regulations
When the regulations come into effect on November 1, Canadian companies and organizations doing business in Canada can expect to have an increased need for:
- A data protection response plan ready to go in the event of a breach.
- Cyber insurance to comply with and finance data breach notification and fines and penalties.
Both a data protection response plan and cyber insurance can’t be quickly thrown together post-breach. Instead, they require a strategic approach and thorough advance planning. For those businesses that haven’t done so already, getting prepared for the new regulations should be done without delay.
As the Canadian government finds additional reason to justify federal oversight of cyber security, more changes may be on the horizon.
Another consideration is whether to restrict cross border flow of data. Practically, Canadian companies might use a cloud service provider in the U.S. or anywhere overseas. Could the government make it more difficult to share and store data across borders?
For more information on preparing for the regulations, including making sure you have an appropriate data protection response plan and the right coverage in place to support notification requirements, contact your HUB broker today.