Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsNew PIPEDA Rules for Data Breach Reporting in Canada
New regulations have gone into effect in Canada today to require mandatory tracking of all data breaches by organizations as part of the Personal Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA rules require corporations to keep records about data breaches and breaches of security safeguards for at least two years and provide mandatory notifications for certain breaches.
The mandatory reporting component of the Canadian privacy law requires reporting of breaches that pose a real risk of significant harm (regardless of whether the breach involves one potential victim or many more) to the Office of the Privacy Commissioner (OPC). Significant harm is defined as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The OPC enforces PIPEDA, which has applied to the private sector since 2001.
The potential fines for the failure to report under the law are up to $100,000 for each time an individual is affected by a security breach. However, the extent of the organization’s enforcement powers are currently unknown as the privacy commissioner has said that his office needs more people just to handle analyzing the new breach reports that are expected.
Breaches that don’t meet the standard for a real risk of significant harm need to be kept by the company for at least two years and can be requested at any time by the OPC.
The regulations have been in development for the past three years. However, a study conducted by the Canadian Internet Registration Authority (CIRA) looking at the state of cybersecurity in Canada found that 38 percent of respondents were unfamiliar with the PIPEDA. There have also been other media reports about organizations that are not prepared for the new reporting requirements, though they usually highlight small businesses .
Canada has also been part of the effort by the United Kingdom to hear from Facebook CEO Mark Zuckerberg on privacy and other social media issues in an “international grand committee” hearing in London later this month. Zuckerberg has previously declined to speak before the UK Parliament about Cambridge Analytica, even though he has testified before the United States Congress and the European Union Parliament.
EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text
California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
Other Blog Posts on Privacy Laws:
Chicago Considering Personal Data Collection and Protection Ordinance
Vermont Passes Data Broker Law – First in US!
New Mexico Privacy Bill Copies CCPA
New York Considering Privacy Law – Right to Know Act
