Organizations should start now to get ready for Canada’s new privacy breach notification rules, say experts.
The new regulations require organizations to notify individuals and Canada’s Privacy Commissioner of all security breaches that could result in a “real risk of significant harm” to an individual. The regulations, under the Personal Information Protection and Electronics Documents Act (PIPEDA), come into effect on November 1. They apply to all companies, except those in British Columbia, Alberta and Quebec, which have their own privacy laws.
“It’s more than a subtle change,” said Scott Smith, senior director, Intellectual Property & Innovation Policy, Canadian Chamber of Commerce. “Every breach, whether significant or not, must be recorded.”
If a recent survey by the Privacy Commissioner’s office is any indication, many Canadian businesses have a lot of work to do to comply with the rules. It found that only four in 10 businesses have policies or procedures in place to deal with a breach involving the personal information of their customers.
How to get started
Organizations will need all hands on deck to review their compliance with the new rules, including teams from IT, legal, security and communications, says Sylvia Kingsmill, Canadian digital privacy & compliance leader with KPMG. Here are five practical steps to consider:
- Identify the data – “The most important thing is to take a pragmatic approach to see what information you have, where it is and how sensitive it is,” says Jason Cassidy, CEO of ShinyDocs. The requirements cast a wide net, he notes. “Even an internal email about an office party could contain sensitive personal information,” Cassidy adds.
- Automate – One of the biggest challenges is to keep track of all of the breaches, says Kingsmill. Under the rules, a record of all breaches must be kept for two years after the breach was identified. Kingsmill suggests that organizations should consider automating their information management and breach tracking. “It has to be continually updated, and that is arduous to do manually,” she says. “You’d be surprised how many organizations are tracking their data on an excel spreadsheet.”
- Draft policies and procedures – Organizations need a step-by-step plan on what to do, and who will do it, when a breach happens, says Kingsmill. A coordinated communications plan is extremely important. “Keeping the regulator informed as you go along is a minimum,” she says. All communications, including to the media, must be accurate and consistent. She notes that the Alberta Privacy Commissioner provides a good guide on the key steps to respond to breaches.
- Stress test the plan – Even when organizations have a plan in place, there can be a lack of coordination among all stakeholders, especially internally, says Kingsmill. Breach response plans should be regularly tested, she says. “It takes the coming together of all stakeholders to get things right.”
- Train staff – Employees need to clearly understand what constitutes a breach and when there is a real risk of significant harm, says Kingsmill.
More guidance needed
The government should do more to build awareness of the rules, says Smith, noting that the Canadian Chamber of Commerce is currently working on some guidelines for business.
Andre Leduc, vice-president, government relations & policy at ITAC agrees. “It really is just good business to have these privacy practices in place,” says Leduc. “But government needs to think about how to help small and medium enterprises to deliver.” It isn’t just about the regulations, says Leduc. “Practical tools are absolutely essential to achieve the outcome.”