The Government of Canada published the final version of its breach of security safeguards regulations on April 18, 2018. These regulations enshrine mandatory data breach notification in Canadian law, in the form of an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000.
Mandatory data breach notification was first established through the Digital Privacy Act of 2015, an earlier PIPEDA amendment, but was only recently brought into force after the development of more detailed data breach notification requirements. The new regulations will come into effect on November 1, 2018.
The objective of the regulations is for breached organizations to make consistent and complete information on data breaches accessible. The information can be used by involved individuals and authorities to understand and respond to the data breach situation.
Reporting data breaches
Under the regulations, in the event of a data breach, organizations must conduct a risk assessment to determine if the breach presents a “real risk of significant harm” to any individual whose information was involved in the breach. If the breach is found to cause a risk of significant harm, then it must be reported to the individual and the Privacy Commissioner of Canada.
Record keeping is also an important facet of the regulations. Organizations are obligated to keep a record of each data breach for 24 months after the day it was determined that the breach occurred. This report must be submitted to the Privacy Commissioner upon request.
The regulations do not include a specific deadline for the breach notification. However it does state that, should notification be necessary, it is to be done “as soon as feasible.” Deliberately failing to report a data breach as required, or deliberately failing to keep a record of the data breach, can lead to fines of up to $100,000 for each offense.
As stated in the Canada Gazette, the regulations have several expected benefits. Foremost is the projected contribution to the privacy and security of affected individuals, empowering them to take action as soon as notified of a breach. Another is the economic advantages, as it aligns Canada’s PIPEDA with data breach notification regulations of other countries or regions, thereby simplifying compliance for many organizations that are also subject to them.
Applying lessons from the GDPR
Since the European Union is a trade partner of Canada, one such data regulation is the General Data Protection Regulation (GDPR). It will be in force on May 25, and organizations may soon be subject to it along with the PIPEDA. The GDPR also has personal data breach notification requirements, which organizations worldwide must be more familiar with and have had a longer time to prepare for.
Taking lessons from the journey toward GDPR compliance is a good way for organizations to begin preparing for the enforcement of Canada’s own data breach notification rules. Document details and actions concerning each breach, including the effects of the breach and remedial actions taken. Prepare a communication plan for different breach notification scenarios, such as when direct notification to the individual is required or when public notification is more appropriate.
Data breach prevention is, of course, a critical aspect of compliance with any data privacy and protection regulation. This starts with extensive data mapping to gain an awareness of what types of data are being processed and the pathways the data takes. Also set protocols for responding to a data breach so as to quickly contain it and mitigate its consequences. Invest in a well-rounded cybersecurity defense that can keep up with the changing forms of cyberthreats — which also aligns with the GDPR’s “state-of-the-art” technology component.
To see how Trend Micro prepared for data breach notification and other facets of the GDPR, visit our video case study page.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).