Starting November 1, 2018, Canada will implement a new suite of legal changes relating to privacy, online security, and business regulation. These additions to the Personal Information Protection and Electronic Documents Act, or PIPEDA, are known as the Digital Privacy Act, and they will fundamentally change processes and best practices with respect to device security, online security, and overall data privacy.
There are several major changes taking force in November. Crispen Maung, Vice President of Compliance at Box, summed it up well in the Secure and in Compliance webinar: “In addition to being able to demonstrate that they have an effective data protection program in place, organizations will have to prove that they have done everything practical to restrict the access to data and also to manage and control that data while it’s in their custody.”
In short, the pressure on Canadian businesses to protect customer data will grow.
With PIPEDA, Canada’s customers take priority
One of the biggest changes to the structure of Canada’s data privacy laws lies in the new liabilities companies can be subjected to if they cannot prove they have done their due diligence to protect customer data. As part of this regulation, all data breaches must be reported to the Office of the Privacy Commissioner of Canada.
Similar to the European Union’s much-discussed GDPR, many of the impacts of the PIPEDA amendment will relate to how companies handle customer data. A breached company must now notify users if they’re likely to be exposed to bodily, material, or reputational harm as a result of the breach. This has huge implications for the offending company’s PR, with the aim of changing corporate behaviour through the introduction of mandatory consequences in the event of compromised customer data.
Start preparing for the coming changes
The best way to prepare for PIPEDA is to make sure its newest provisions never apply to you or your company. Preparedness and due diligence is the only way to achieve this—do what you can to make sure your IT security team can do its job properly. If IT employees come to management with a request, take that request seriously.
When buying endpoint devices, like printers and scanners, consider investing in a solution with embedded security features. This will keep your network more secure while also removing the need to constantly monitor all endpoints yourself. Shoring up your data and device security is a critical part of shoring up your compliance, since liability is related to preparedness. If a company can show it was prepared even if it was breached, the government won’t deem the company negligent.
Also consider whether outside service providers, like cloud storage companies or scheduling platforms, have security just as tight as your own. They must be reputable and make their security measures known to their clients. If they don’t, contracting with them is likely not worth the risk.
Meet all requirements on your PIPEDA compliance checklist
The Government of Canada provides a helpful guide for understanding what the new amendments to PIPEDA mean and for determining your current level of compliance. To supplement that guide, here’s a quick but partial checklist to make sure your company hasn’t forgotten to address anything too glaring:
- Does all software and hardware architecture conform to industry security standards?
- Does your company practice the level of record keeping required in the event of a data breach?
- Does your company have processes in place to assess possible harm, notify the Privacy Commissioner, and draft a statement to customers?
- Has your company attempted to obtain consent to email customers in the event of a data breach?
- Does your entire network, including peripherals, endpoint devices, and employee devices, conform to security best practices?
- Do your contracts with third parties and service providers contain language ensuring the third party’s data security and its ability to comply with the new regulations in the event of a breach?
- Does your system automatically purge sensitive personal information once it has been used for its stated purpose?
- Does your system notify customers when their data will be collected and how it will be used?
- Does your system track collected data to ensure its use does not deviate from the customer’s expectations?
Complying with Canada’s new data privacy laws is not necessarily going to be easy. But once the country has adapted, Canada’s business sector will be much stronger for the effort. By conforming to the regulations, companies will end up putting an emphasis on effective internal processes and strong device security that will deliver big benefits in the long term.