Businesses that haven’t started preparing for the new privacy rules coming to Canada this fall could be in for an unpleasant surprise, say experts.
The new regulations under the Personal Information Protection and Electronics Documents Act (PIPEDA) set out the requirements for mandatory breach reporting for Canada’s private sector. The rules comes into effect on November 1.
The new regime “represents a sweeping change to the conduct of commercial activities in Canada,” says a bulletin by the law firm, Fasken. “The rules will present new costs, risks and challenges for organizations, large and small.”
However, the upcoming change doesn’t seem to be on the radar for most Canadian organizations. A recent survey by the federal Privacy Commissioner shows that only four in 10 businesses currently have the procedures in place to comply with the rules. Failure to meet the requirements could result in fines up to $100,000.
What are the new rules and how will they impact my business?
Under the new regulations, a security breach involving personal information under the organization’s control must be reported if it might pose a “real risk of significant harm” to affected individuals. “Significant harm” can mean anything from identity theft to damage to reputation or relationships. Reports, with details of the breach, must be sent to the affected individuals, the Privacy Commissioner and third parties that might be able to help reduce the potential harm.
PIPEDA also requires organizations to keep records for two years on all security breaches involving personal information. This is one of the most challenging aspects of the reporting regime, according to an online brief by the law firm, Blakes. It “will require organizations to implement policies and procedures to ensure that all breaches (regardless of the significance) are reported and recorded in a consistent and centralized manner.”
The inability to track user access to company information can lead to other serious consequences, outlined in the 2018 Ponemon Institute’s International Cost of a Data Breach study. It shows that Canadian companies bear the highest direct costs on data breaches over the past year. The average cost of a breach in Canada was $6.11 million, as compared to the global average of $3.86 million. The study also found that the faster a data breach can be identified and contained, the lower the costs.
How to be ready by November
The simplest way to prepare for the new rules is to work with a solutions provider to bring all of the organization’s content into one place for tracking, search and retrieval. Organizations should consider automated tools supplied by vendors to track everything, says Sylvia Kingsmill, Canadian digital privacy & compliance leader with KPMG. “It is an evergreen exercise to continuously update the information, which would be very arduous to do manually,” she said.
Businesses should look for a provider that can bring their information into one common toolset, protect against breaches and provide the tools to ensure compliance with the regulations. The solution should integrate with existing applications, rather than “rip and replace”. For example, the software platform offered by Box houses all of an organization’s content in one place and can easily pull the content from other tools.
The key thing is that the solution provider should make sure you’re ready for the new rules and make it as quick and painless as possible.
To learn more, see the Box Knowledge Hub.