Earlier this year, the European Union implemented GDPR regulations that covers privacy and data protection for its citizens. Canada has recently followed suit with its own laws for breach reporting under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). In 2017, only 10% of businesses affected by a cyber attack reported it to law enforcement agencies according to Statistics Canada. Now with PIPEDA in place, reporting data breaches are no longer voluntary but mandatory. It’s important for your business to understand the new regulations under PIPEDA and be aware of the consequences, such as fines that can reach up to $100,000.
What Are the New PIPEDA Regulations?
Under the new regulations, companies must report breaches that cause “significant harm”. Significant harm encompasses a wide range of consequences that include bodily harm, humiliation, damage to reputation or relationships, damage to or loss of property, identity theft, and loss of employment, business or professional opportunities. These breaches must be reported to the Privacy Commissioner of Canada, those affected by the breach and any other organization or government institution that can help reduce the risk of harm resulting from the breach. Any other breaches must be properly documented, and records must be maintained for two years after the breach. As mentioned earlier, failure to comply with regulations can incur a fine of up to $100,000.
How Will the New PIPEDA Regulations Impact My Business?
Approximately 40% of Canadian companies say they are unfamiliar with Canada’s data privacy laws. Organizations will need to start paying more attention to privacy laws and how they handle customer data in order to stay compliant. Here are 5 things your business should consider about the new regulations.
1. Have a breach response plan: All organizations should have a basic policy that outlines a company’s response to a breach. This will make it easier for your company to handle a data breach and ensure that you are compliant if one ever occurs. This should include processes for confirming a breach has happened, what data has been taken, the impact and how to communicate the breach. All breach response plans should be reviewed annually and updated if necessary.
2. Plan your record keeping: Record keeping is a vital part of the new regulations so special attention and care must be paid to make sure any breaches are documented properly. You must record all breaches, even if there is no risk of significant harm. These records need to be detailed and include items like why the breach doesn’t meet criteria to be reported. These records can also be requested by the privacy commissioner at any time so they must be properly maintained for 24 months.
3. Educate your employees: 90% of breaches are caused by human error, making it important to have cyber aware staff. You will also need to work with your employees to ensure that they are aware of these new regulations. If an employee notices something is wrong, you want them to bring it up before it’s too late.
4. Vet your third-party vendors: Under the new regulations, you will be responsible for all your data, even those carried by third-party companies. Work with your vendors and other third-party companies to ensure that you will be notified of any breaches that put your customers’ personal data at risk. Make sure that you work with third parties that have adequate security requirements.
5. Know Your Data: PIPEDA applies to the collection, use or disclosure of personal information during a commercial activity. Personal information refers to data that can identify an individual, such as their age, medical history and financial information. Make sure your organization has data controls regarding where the data is kept, who has access, what type of data is being stored and why you need that data. If the information is no longer necessary, implement rules on how to properly destroy data so that it does not fall into the wrong hands.
Improve your security posture with Jolera to help keep your data safe. For complete protection at every vector, check out our Secure IT product platform.