Effective November 1, 2018, Canada’s outdated data protection laws will get a refresh, thanks to the country’s Digital Privacy Act, an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA).
First enacted in 2001 - long before data breaches were commonplace - PIPEDA left a gap in notification and consent requirements, and subsequent penalties that many nationals believe led to a rise in cyber-attacks. As many as 62 percent of small companies in Canada saw an increase in the number of cyber-attacks last year, and as many as 76% expect to see an increase this year.
This lack of data protection has left Canadians feeling vulnerable, and has created market demand for the commercialization of network security. Private businesses are filling in where the government lacks, creating a competitive advantage for themselves.
The Data Privacy Act, attempts to bring the Act to date with the following key components:
- Mandatory Notice Requirement: The Digital Privacy Act requires notice to breached individuals and organizations as well as the government where “real risk of significant harm” exists. This notification must be given “as soon as feasible,” post-breach and must contain information that informs the breached party of the significance of the breach and what steps to take to reduce the risk of harm or mitigate it.
- Heightened consent: Organizations will now be required to tell individuals about the information they collect, how it is used and to whom it is disclosed. There are specific mandates for children and other vulnerable individuals. Exceptions include consent requirements when managing employees, fraud investigations, work product information, and certain business transactions.
- Mandatory record keeping: Organizations will be required to maintain a record of every breach of their controls where personal information is impacted. This applies to all breaches, irrespective of whether or not there was a “real risk of significant harm.”
- Enforcement and penalties: Knowing violations of breach reporting or mandatory record keeping requirements may result in fines ranging from a $10,000 to $100,000.
- Commissioner publication: The Commissioner reserves the right to publish any information disclosed via mandatory breach reporting or record keeping disclosure.
Plan now for The Digital Privacy Act
When The Digital Privacy Act takes effect, Canadian companies and organizations doing business in Canada can expect to have an increased need for:
- A data protection response plan ready to go in the event of a breach.
- Cyber insurance to comply with and finance data breach notification and fines and penalties.
Both a data protection response plan and cyber insurance can’t be quickly thrown together post-breach. Instead, they require a strategic approach and thorough advance planning. For those businesses that haven’t done so already, getting prepared for the new regulations should be done without delay.
As the Canadian government finds additional reason to justify federal oversight of cyber security, more changes are likely on the horizon.
For one, Canada has already called for a review of regulations, based on the EU’s new General Data Protection Regulation (GDPR), which streamlines data protection and notification rules across the continent. Could the movement of regulations from country to country soon affect Canada?
Another consideration is whether to restrict cross border flow of data. Practically, Canadian companies might use a cloud service provider in the U.S. or anywhere overseas. Could the government make it more difficult to share and store data across borders?
For more information on preparing for the Digital Privacy Act, including making sure you have an appropriate data protection response plan and the right coverage in place to support notification requirements, contact your HUB broker today.