Canada Ups the Data Privacy Ante with New PIPEDA Rules

Posted 11/19/2018 by Matt Tyrer

If you were not paying that much attention to global compliance and regulatory shifts, you probably missed the Nov. 1 “go-live” date for new rules for data breach handling for companies operating in Canada. To be honest, its whole introduction in May 2018 was done rather quietly, but the new rules are now fully in force as of Nov. 1.

So what?

Well, if you operate a business in Canada there are some important things you now need to do – that’s what!

While the data privacy law itself did not really change, there were two (in my mind) very important additions to the existing legislation that any company will need to be mindful of.

Breach Notification

This was the primary change made to the Personal Information Protection and Electronic Documents Act (PIPEDA) – adding in mandatory notifications of data breaches. Any breach deemed to have “Real Risk of Significant Harm” (RROSH) must provide the following notifications as soon as feasible. That’s right. Unlike the European Union’s General Data Protection Regulation (GDPR), there is no hard window within which notifications must be made. This flexibility was built in to allow companies time to work with law enforcement, and to assess if the notification itself may add to the damage in the short term. That isn’t to say you can sit on it forever, as the Office of the Privacy Commission (OPC) will evaluate your overall incident response (and possibly add fines). 

Obviously, the OPC needs to be notified, as do the individuals affected by the breach. Less obvious is the last group needing notification: “other” organizations? This could mean having to notify law enforcement, but it could also mean having to notify banks or credit companies depending on the data that was affected. This really drives home the need to have a proper Incident Response Plan in place to identify all the whos and whats. You can even be penalized for NOT having a plan or properly established security safeguards.

Record Keeping

This one will really cause some folks heartburn!  Regardless of if a breach or incident was deemed to have met the RROSH threshold, all breaches of any kind must be properly recorded. Those records must be kept for a period of two years and be readily accessible to the OPC upon request. Think about that for a second…

Every breach.

So what’s a breach then?  Any event in which the loss or theft, unauthorized access, disclosure, copying, use, modification or destruction of personal information (PII) constitutes a breach. That’s quite a broad spectrum of possible events. Accidentally delete a backup of your client database? That counts (destruction). Lose a laptop with client data on it? Totally counts (loss).  Email a list of customers to another company? Yup (unauthorized copying/use).

What Can I Do!?

Well, in order to effectively identify and respond to any breach, you need to know where your data is and what it is – in your data center, in the cloud, at the edge, everywhere. You need a detailed index of the data that you can reference, search and audit against. You need to take a good look at the tools and processes you have available to you that can support these actions and initiatives. Essentially, you need to take a look at what Commvault can do to help.

Matt Tyrer, with nearly a decade of Commvault sales and technical expertise, is the Solutions Marketing lead for the Americas. He has more than 18 years of experience in the IT industry, covering data and information management, cloud, compliance, enterprise storage, data center consolidation and migration, disaster recovery for public and private sector clients across Canada and around the globe.