On November 1, 2018, an acronym that most people still can’t pronounce is slated to change the face of data security for every organization in Canada. Changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), will require companies to step up their data security and due diligence.
“In addition to being able to demonstrate that they have an effective data protection program in place, organizations will have to prove that they have done everything practical to restrict the access to data and also to manage and control that data while it’s in their custody,” said data security specialist Crispen Maung, speaking at an August 2018 webinar Secure and in Compliance – New PIPEDA Rules.
As Vice-President of Compliance for Box, an enterprise content management platform with more than 41 million users worldwide, Maung brings a broad perspective to the PIPEDA discussion. “This is not just a regional phenomenon,” he says. “With the global deployment of IT systems, data is moving around the world and organizations have to consider how that data is moving within their infrastructures. There’s a movement to make sure that the data is secure and used appropriately and ethically.”
Under Canada’s new PIPEDA rules, domestic and foreign organizations subject to PIPEDA will be required to report privacy breaches to the Office of the Privacy Commissioner of Canada, keep records of privacy breaches, and notify individuals about privacy breaches when there is “a real risk of significant harm to an individual.” In this case, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, damage to or loss of property, identity theft, and loss of employment, business or professional opportunities.
With this extended emphasis on due diligence, the relationship companies have with their enterprise cloud computing providers will be more important than ever before. SAS providers, like BOX, will have to be trusted partners – not only in data security – but also in helping the organization comply with new regulatory obligations around effective data protection.
In the case of PIPEDA compliance, organizations will need a comprehensive privacy management program, including risk assessment tools, training and education requirements, breach and incident management response protocols, server provider management, and external communication. Ongoing assessment will be needed in order to update the inventory of personal information.
“All providers will tell you what they can do,” says Maung, “but with PIPEDA in the wings, it’s actually more important to have providers that will tell you what they can’t do. I think that’s the litmus test of a good partner: someone who will tell you what isn’t covered so that you can take measures to fill in the gaps.”
Maung and other Enterprise Cloud Computing Data Protection and Compliance professionals suggest that organizations will need to take a more active role in assuring compliance. With the changes to data security requirements and privacy centered legislation, companies have to be able to show effective due diligence. Doing nothing is not an option for anyone who plans to remain in business.