What PIPEDA Data Privacy Law Means for Canadians

A recent survey by the federal Privacy Commissioner’s office (PCO) found that half of Canadian organizations have limited concerns about a potential breach involving their own business. Yet Canadian organizations continue to bear witness to many high-profile privacy violations, such as Air Canada’s recent report of “unusual login activity” through its mobile app leaving 20,000 users potentially affected. The study also notes that only four in 10 businesses have policies or procedures in place in the event of a breach —a number that remains unchanged since 2015.

To address the uptick in potential vulnerabilities caused by the steady stream of technological adoption in recent years, conversations within the federal government around implementing mandatory data breach disclosure rules began in 2015. Now, three years later, the federal government has given Canadian businesses until November 1 to prepare for the Personal Information Protection and Electronic Documents Act – more commonly known as PIPEDA.

Below I’ve highlighted the importance of demonstrating a comprehensive data privacy management program, and what organizations should consider when assessing their current, or future, program.

What to consider when preparing for PIPEDA

No longer will breach reporting be voluntary—it will be mandatory, and if ignored, will come with steep consequences to Canadian organizations. More specifically, PIPEDA’s data breach obligation applies where there is “a real risk of significant harm to an individual.” These regulations will require companies to report data breaches to customers, affected third parties and the federal privacy commissioner, and ultimately set the ground rules for how businesses must handle personal information during their commercial activity.

No longer will breach reporting be voluntary—it will be mandatory, and if ignored, will come with steep consequences to Canadian organizations.

There are redoubtably many new regulations and issues to consider prior to November 1. However, at a high level, the below three key considerations can help organizations assess their current cybersecurity policies and prepare accordingly.

Internal risk assessment: The most efficient way to assess cybersecurity risks is mapping out the data you control, understanding where it sits, where it’s moving to and who can access it. Businesses will also need to reorient the way they develop data capture application forms so that they’re clear, straightforward and so that customers are aware of what they’re signing up for.

In practice, determining the organization’s data classification methodology to categorize this data, will help identify where the data is and who has access or potential access to that data. It’s also important to define the policies, processes and controls, you will have in place to secure this data and ensure it is being used appropriately and in an ethical manner.

Know your weak points: Being aware of any potential security vulnerabilities is critical to mitigating—or even preventing—a cyber-attack. In addition to being able to verify that they have a solid data protection program in place, organizations must prove that they have taken preventative steps to restrict the access to data and to manage and control that data while it’s in their custody.

As part of establishing an organization’s data protection controls, ensure that access to data is minimized.

Having the right operational processes in place is imperative to managing this access to data both within your organization and any external organization that could have access to your data.

External risk assessment: It’s also necessary to keep in mind that these responsibilities don’t end within an organization, it extends to their business partners too. Transparency regarding what they can and can’t protect is the litmus test of a good partner: one who will be candid about what isn’t covered so that an organization can take measures to fill in the gaps or risk facing heavy consequences.

In practice, organizations who are compliant should understand how and where data is used by external organizations and deploy an effective program to manage external organizations from a data protection perspective. Also, ensure that your company has a process in place for continuously validating the data protection capabilities of external organizations whilst they are providing the service.

The penalties of not complying

For Canadian businesses, the average cost of a data breach is just over $6 million, according to the 2018 Cost of a Data Breach Study by Ponemon. Furthermore, organizations that knowingly fail to report to the Office of the POC, fail to maintain records of all breaches or notify affected individuals of a breach, could face fines of up to $100,000. The bigger impact, however, is what follows a breach of data: the indirect costs.

Notoriously, a company’s customer base quickly loses confidence in its ability to keep their sensitive personal information safe, resulting in a reputational decline and steep customer drop off. The study by Ponemon notes that organizations which lost only less than one per cent of their customers due to a data breach resulted in an average total cost of $2.8 million.

The regulators recognize that these things are going to happen, but it’s about how a company deals with it that’s important. The financial and reputational implications far outweigh the initial investment that comes with implementing an effective data protection program; it could potentially help save time, money and a company’s reputation.

Crispen Maung is the Chief Compliance Office for Box Canada, a cloud content management and file sharing company.