The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018.  Oddly enough, the regulations regarding notification have not yet been finalized.  

The roots of the legislative background begin with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) back in April of 2000, and has since been amended several times to stay current. In June 2015, the Cabinet amended PIPEDA once again with the Digital Privacy Act. Among those changes was a section for data breach notification laws that was reserved and suspended to allow time for organizations to comment.

In September 2017, draft regulations were released, giving organizations some foresight into the direction they will need follow in compliance preparation. The main provisions of the proposed regulations are:

  1. organizations must determine if a data breach poses a “real risk of significant harm” which includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft;
  2. if that breach is determined to meet that threshold, then the affected individuals and the Privacy Commissioner of Canada must be notified “as soon as feasible”;
  3. the organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  4. the organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.

Unfortunately, Canadian organizations have a deadline and still no firm regulations to guide preparation in creating appropriate policies and procedures for compliance. The organizations find themselves in a holding pattern until the regulations are finalized. With the clock ticking, this will certainly be a sprint to the finish for data privacy professionals in Canada.