Canada’s Data Breach Notification Law Goes Into Effect November 1, 2018

Harris Beach Murtha PLLC
Contact

[author: Brad Davis]

The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018.  Oddly enough, the regulations regarding notification have not yet been finalized.  

The roots of the legislative background begin with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) back in April of 2000, and has since been amended several times to stay current. In June 2015, the Cabinet amended PIPEDA once again with the Digital Privacy Act. Among those changes was a section for data breach notification laws that was reserved and suspended to allow time for organizations to comment.

In September 2017, draft regulations were released, giving organizations some foresight into the direction they will need follow in compliance preparation. The main provisions of the proposed regulations are:

  1. organizations must determine if a data breach poses a “real risk of significant harm” which includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft;
  2. if that breach is determined to meet that threshold, then the affected individuals and the Privacy Commissioner of Canada must be notified “as soon as feasible”;
  3. the organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  4. the organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.

Unfortunately, Canadian organizations have a deadline and still no firm regulations to guide preparation in creating appropriate policies and procedures for compliance. The organizations find themselves in a holding pattern until the regulations are finalized. With the clock ticking, this will certainly be a sprint to the finish for data privacy professionals in Canada.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Harris Beach Murtha PLLC

Written by:

Harris Beach Murtha PLLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Harris Beach Murtha PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide