If you have grown tired of internet privacy focused acronyms, I have some bad news for you. The Personal Information Protection and Electronic Documents Act, which we'll refer to as PIPEDA for simplicity, is Canada's answer to the European Union's GDPR, and there are some big changes coming in November.
While it is unlikely to be as annoying as GDPR, you'll likely hear quite a lot about it in the coming days and weeks. To prepare you, let's run through a few quick reasons why you should care about PIPEDA:
- It's changing soon. On November 1, 2018, some significant changes are coming to PIPEDA. These changes will have significant impacts on Canadian businesses of all sizes.
- You can't ignore it anymore. If you didn't have European customers, GDPR was just an annoying pop-up you had to click on everyone else's website, not something your business necessarily had to deal with. PIPEDA will not be ignored.
- It's a big deal. The most significant change to PIPEDA is the new mandatory breach reporting requirements. Any breach of your data must be reported to the Office of the Privacy Commissioner, the impacted individuals, and records of all breaches must be kept by your business.
- There's a good chance you collect data. Data breaches aren't just for huge online companies anymore, if your business keeps customer records that could be used to identify and individual PIPEDA likely applies. This means credit card numbers, GPS data, home addresses or email addresses.
- There are penalties. The changes to PIPEDA now come with fines of up to $100,000 for non-compliance. While this isn't nearly as onerous as GDPR, it's likely only the beginning.
- You have to be proactive. The changes to PIPEDA require that businesses implement safeguards to protect their data. This can mean everything from locks on filing cabinets to data encryption to a DNS firewall. Cybersecurity is now an important duty to your customers and includes making sure anyone who has access to personal data understands their responsibility (i.e. no more password123 please).
- You need a plan. Even small businesses are at risk of data breaches now that the tools of the hacking trade are accessible by anyone with an internet connection. Every business should have a breach response plan, understand what data they keep, and know who is responsible for monitoring and reporting any issues.
A good overview of the changes to PIPEDA is available from the Office of the Privacy Commissioner of Canada.
So why is this such a big deal?
Our recent 2018 CIRA Cybersecurity Survey Report found that 38 per cent of Canadian businesses lacked awareness of the PIPEDA requirements—and that was the old requirements.
Level of familiarity with Canada's PIPEDA regulations
- Level of familiarity with Canada's PIPEDA regulations
- 17% Very familiar
- 41% Somewhat familiar
- 22% Not very familiar
- 16% No knowledge
- 4% Don't know
With the new changes coming on November 1, it is likely that the number of Canadian businesses that are unaware of their new responsibilities is significantly higher. The implementation of GDPR may have created some data privacy fatigue around this issue, but it is unlikely that this problem is going anywhere.
Our survey of Canadian businesses also found that 59 per cent of respondent store personal information. This can mean data from customers, suppliers, partners or vendors, and it seems probable that this number is also on the low side due to a lack of understanding as to what constitutes personal data.
Nearly every business collects personal data of some kind these days, even an email newsletter can put a business at risk. As Canadian businesses become more aware of the risks and the issues related to data privacy, the need for resources becomes essential. While large organizations have the money to hire or outsource their cybersecurity needs, smaller businesses are often ill equipped to do the same.
One final stat that was left on the cutting room floor of the report but was part of the survey: only 42 per cent of respondents were aware of the upcoming changes to disclosure requirements in PIPEDA. Well, now you know.