5 ways to prepare for PIPEDA’s updates

October 31, 20184 Minute Read

If getting your IT systems to support privacy legislation is your jam, you’re going to love the latest update to the Personal Information Protection and Electronic Documents Act (PIPEDA). Better yet, you can apply your experience meeting the General Data Protection Regulation (GDPR) to your compliance efforts.

Here’s a closer look at what’s involved in this update and what steps you can take to remain compliant.

Stay ahead of the changes to PIPEDA regulations

Like GDPR, Canada’s new privacy breach notification rules have been in the works for some time, thanks to the Digital Privacy Act. Taking effect on November 1, 2018, the new rules require organizations to notify affected individuals and Canada’s Privacy Commissioner of all security breaches that could result in a “real risk of significant harm” to an individual. These regulations apply to all Canadian organizations, except those in Quebec, Alberta, and British Columbia, which have their own privacy legislation.

Another pending change is the finalized consent guidelines, released by Office of the Privacy Commissioner of Canada in May 2018. This update has similarities to GDPR, as it provides guidance on the collection, use, or disclosure—collectively, processing—of a data subject’s personal information. The “Guidelines for Obtaining Meaningful Consent” set out both mandatory and suggested steps for organizations. These updates take effect in January 2019.

Relax: The latest PIPEDA principles follow in GDPR’s footsteps

If you recall your GDPR prep, you’ll also recall PIPEDA compliance wasn’t enough to meet the demands of the European Union legislation designed to protect privacy of its citizens regardless of geography. But a culture of privacy protection works in your favour. Just as complying with Canadian privacy legislation was good prep for GDPR, the PIPEDA amendments should be easier to wrap your head around now that you’re GDPR compliant.

These updates impact your IT team, but you’ll need to collaborate across the organization for effective compliance. Security, legal, and communications staff all need to be on board. Protecting privacy isn’t just about technology; it requires a company-wide mindset. You’ll need an executive champion to lead and maintain the necessary culture shift in the organization.

5 steps toward better compliance

If you want to boil down the latest PIPEDA compliance requirements into a plan of action, though, here are five things you should do:

  • Know your data: Both the Canadian and European privacy rules require you understand how a person’s personal data flows through the organization—how it’s collected, how it’s moved, how it’s stored, and most of all, what it’s used for. You need to map all personal and sensitive data, and you might want to consider not collecting unnecessary data—once you have it, you’re responsible for safeguarding it.
  • Revise policies and procedures, and create new ones: The Canadian privacy legislation’s update specifically requires a process for notifying data subjects of a breach—again, just like the European legislation. Beyond that, you need to think about how it affects your business processes that involve data collection, such as marketing and customer onboarding.
  • Automate where possible: Privacy protection is dependent on good information security practices, which can no longer depend on people alone in today’s cybersecurity climate. Just as good security takes advantage of artificial intelligence, machine learning, the embedded features of modern cybersecurity systems, and smart devices that can protect against threats on their own, you need to be proactive—not reactive—by embracing privacy by design. You should have an information management system that can track breaches, just as you would with any other IT issue.
  • Train your users: Everyone in the organization needs to know what constitutes a breach, the level of risk it may pose, and whether it can cause serious harm. From there, they must understand compliance policies and procedures, so they can take appropriate steps, including notification, if necessary.
  • Run fire drills: Like any disaster recovery and data protection plans, you should periodically test your breach response plans to make sure everyone plays their part should a breach occur. You want your breach response process to be by the book, so you can minimize risk and potential litigation.

Privacy has been the new normal since PIPEDA’s inception, but it’s a landscape that continues to evolve—the legislation was intended to be reviewed every five years since its introduction more than 15 years ago. What’s most important to remember with these latest updates is that compliance is a mindset, and protecting sensitive data needs to be part of your organization’s culture. Thinking about privacy intentionally will help you stay compliant in the long run, no matter how regulatory frameworks or legislation evolve.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.

Danny Bradbury September 24, 2018 4 Minute Read

What happens when hackers and banking network security collide?

Banks strive for impenetrable network security, but they can still experience serious hacks. Find out why—and how you can avoid being next.