Every Canadian business must adhere to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – any organization that collects, uses or discloses personal information must ensure they’re ready to comply with the privacy act’s new mandatory data breach response requirements as of November 1, 2018 or face non-compliance consequences.
Here are five key areas to focus on when preparing to comply with the Digital Privacy Act’s Data Breach Response.
- Your organization must understand what the requirements are and when the new obligations are triggered. You will need to implement policies and procedures that are aligned with the law. A thorough privacy gap analysis of existing policies and procedures will allow your organization to identify where the risks are.
- The “Breach of security safeguards” involving personal information under your businesses control, will trigger data breach reporting for ANY breach of security safeguards. That means regardless if there is a real risk or not, you still have to report the breach.
- “Sensitivity of information”, the obligation of your business to protect personal information by security safeguards against loss of theft, unauthorized access, disclosure, copying, use or modification. Any information can be considered sensitive, depending on the context.
- “Appropriate safeguards”, what determines this is appropriate to the sensitivity of the information. Your business should use common sense and risk management concepts, and consider the possible hard of a breach. More sensitive information should be safeguarded by a higher level of protection.
- “Breach of security safeguards”. Very broad definition, but which most wouldn’t consider amounting to a data breach. There must be a loss of, unauthorized access to, or unauthorized disclosure of personal information that is either caused by a breach or security safeguards or not having the safeguards in place. The common scenario would be an employee allowing their child to use their company-issued smartphone, which contains customer information.
- Reviewing third-party contracts to ensure they include accountability measures for enabling, monitoring and verifying their compliance with the new requirements. This is the most overlooked step in preparing for compliance with the Digital Privacy Act.
- Your organization could be responsible for any breaches by a third party in relation to personal information to which that third party has access or with which the third party is dealing on the business behalf.
- The weakest link in terms of privacy vulnerabilities and liability exposure is its own employees. Organizations often place the data security focus on “outside” security threats, and external third party accessing business data. In fact, most data breaches are caused by an organization’s own employees, either accidental or intentional.
- Implementing a plan to avoid and handle data breaches by its own employees is an important aspect of businesses data breach risk mitigation plan. It is important that under the Digital Privacy Act’s new breach response requirements because more employee breaches are likely to occur. The reporting obligation will be triggered for common scenarios that businesses might not consider privacy breaches requiring action, like allowing their child to use their smart phone that contains customer information. This means organizations must pay close attention to an employee action plan in preparation for mandatory data breach response obligations.
- Training and Policies – businesses must ensure their employee policies and training reflect the definition of a “Breach of security safeguards” to reduce the frequency of trivial breaches occurring.
- Internal breach reporting – businesses must develop a culture that allows employees to report breaches without unreasonable fear of reprisals, to ensure accurate internal reporting.
- Liability – more lawsuits are on the horizon. Employers are liable for the acts of their employees in the course of their employment – including data breaches. Even if insurance is present, no organization can insure against reputation damage.