June 2, 2020

June 01, 2020

Subscribe to Latest Legal News and Analysis

May 30, 2020

Subscribe to Latest Legal News and Analysis

Canada’s Own ‘GDPR’ Now In Effect

The Office of the Privacy Commissioner of Canada released new breach reporting requirements for businesses last week. The Personal Information Protection and Electronic Documents Act (PIPEDA) will impact private-sector organizations that operate or do business with Canadian customers. The newly enacted federal privacy law establishes ground rules for how businesses must handle personal information in the course of commercial activity, mandating that organizations must obtain an individual’s consent when they collect, use or disclose the individual’s personal information.

Perhaps most notably, PIPEDA is similar to the European Union’s General Data Protection Regulation (GDPR) since it requires Canadian companies to alert customers any time their personal information may have been compromised.

“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” Commissioner Daniel Therrien said. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”

A statement from the commissioner’s page lists, in brief, the new regulations for organizations subject to PIPEDA:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”

  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;

  • Keep records of all breaches of security safeguards that affect the personal information under their control; and

  • Keep those records for two years.

Commissioner Therrien called the regulations “imperfect but a step in the right direction.”

He also raised concerns that the reporting requirements fall short in that, for example, they don’t ensure the breach reports to his office provide the information necessary to assess the quality of organizations’ safeguards. As well, the Canadian government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy.

According to the PIPEDA information page:

The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards.

Additionally, a privacy toolkit is available here for organizations to live up to its PIPEDA responsibilities.

Justin Smulison authored this post.

Risk Management Magazine and Risk Management Monitor. Copyright 2020 Risk and Insurance Management Society, Inc. All rights reserved.


About this Author

Risk Management Magazine is the premier source of analysis, insight and news for corporate risk managers. RM strives to explore existing and emerging techniques and concepts that address the needs of those who are tasked with protecting the physical, financial, human and intellectual assets of their companies. As the business world and the world at large change with increasing speed, RM keeps its readers informed about new challenges and solutions.

Risk Management Magazine is delivered monthly to 17,000 readers. It is published by the Risk and Insurance Management Society, Inc. (...