If getting your IT systems to support privacy legislation is your jam, you’re going to love the latest update to the Personal Information Protection and Electronic Documents Act (PIPEDA). Better yet, you can apply your experience meeting the General Data Protection Regulation (GDPR) to your compliance efforts.
Here’s a closer look at what’s involved in this update and what steps you can take to remain compliant.
Stay ahead of the changes to PIPEDA regulations
Like GDPR, Canada’s new privacy breach notification rules have been in the works for some time, thanks to the Digital Privacy Act. Taking effect on November 1, 2018, the new rules require organizations to notify affected individuals and Canada’s Privacy Commissioner of all security breaches that could result in a “real risk of significant harm” to an individual. These regulations apply to all Canadian organizations, except those in Quebec, Alberta, and British Columbia, which have their own privacy legislation.
Another pending change is the finalized consent guidelines, released by Office of the Privacy Commissioner of Canada in May 2018. This update has similarities to GDPR, as it provides guidance on the collection, use, or disclosure—collectively, processing—of a data subject’s personal information. The “Guidelines for Obtaining Meaningful Consent” set out both mandatory and suggested steps for organizations. These updates take effect in January 2019.
Relax: The latest PIPEDA principles follow in GDPR’s footsteps
If you recall your GDPR prep, you’ll also recall PIPEDA compliance wasn’t enough to meet the demands of the European Union legislation designed to protect privacy of its citizens regardless of geography. But a culture of privacy protection works in your favour. Just as complying with Canadian privacy legislation was good prep for GDPR, the PIPEDA amendments should be easier to wrap your head around now that you’re GDPR compliant.
These updates impact your IT team, but you’ll need to collaborate across the organization for effective compliance. Security, legal, and communications staff all need to be on board. Protecting privacy isn’t just about technology; it requires a company-wide mindset. You’ll need an executive champion to lead and maintain the necessary culture shift in the organization.
5 steps toward better compliance
If you want to boil down the latest PIPEDA compliance requirements into a plan of action, though, here are five things you should do:
- Know your data: Both the Canadian and European privacy rules require you understand how a person’s personal data flows through the organization—how it’s collected, how it’s moved, how it’s stored, and most of all, what it’s used for. You need to map all personal and sensitive data, and you might want to consider not collecting unnecessary data—once you have it, you’re responsible for safeguarding it.
- Revise policies and procedures, and create new ones: The Canadian privacy legislation’s update specifically requires a process for notifying data subjects of a breach—again, just like the European legislation. Beyond that, you need to think about how it affects your business processes that involve data collection, such as marketing and customer onboarding.
- Automate where possible: Privacy protection is dependent on good information security practices, which can no longer depend on people alone in today’s cybersecurity climate. Just as good security takes advantage of artificial intelligence, machine learning, the embedded features of modern cybersecurity systems, and smart devices that can protect against threats on their own, you need to be proactive—not reactive—by embracing privacy by design. You should have an information management system that can track breaches, just as you would with any other IT issue.
- Train your users: Everyone in the organization needs to know what constitutes a breach, the level of risk it may pose, and whether it can cause serious harm. From there, they must understand compliance policies and procedures, so they can take appropriate steps, including notification, if necessary.
- Run fire drills: Like any disaster recovery and data protection plans, you should periodically test your breach response plans to make sure everyone plays their part should a breach occur. You want your breach response process to be by the book, so you can minimize risk and potential litigation.
Privacy has been the new normal since PIPEDA’s inception, but it’s a landscape that continues to evolve—the legislation was intended to be reviewed every five years since its introduction more than 15 years ago. What’s most important to remember with these latest updates is that compliance is a mindset, and protecting sensitive data needs to be part of your organization’s culture. Thinking about privacy intentionally will help you stay compliant in the long run, no matter how regulatory frameworks or legislation evolve.