If getting your IT systems to support privacy legislation is your jam, you’re going to love the latest update to the Personal Information Protection and Electronic Documents Act (PIPEDA). Better yet, you can apply your experience meeting the General Data Protection Regulation (GDPR) to your PIPEDA compliance efforts.
Changes to PIPEDA regulations
Like GDPR, Canada’s new privacy breach notification rules were in the works for some time, thanks to amendments to PIPEDA by the Digital Privacy Act. Taking effect November 1, the new rules mean organizations must to notify individuals and Canada’s Privacy Commissioner of all security breaches that could result in a “real risk of significant harm” to an individual. They apply to any organization, except in Quebec, Alberta and British Columbia, which all have their own privacy legislation.
Another pending change to PIPEDA the finalized consent guidelines, released by Office of the Privacy Commissioner of Canada in May. This update also has similarities to GDPR, as it provides guidance on the collection, use, or disclosure—collectively, processing—of the data subject’s personal information. PIPEDA’s “Guidelines for obtaining meaningful consent,” set out both mandatory and suggested steps for organizations. These updates take effect in January 2019.
Latest PIPEDA principles follow in GDPR’s footsteps
If you recall your GDPR prep, you’ll also recall PIPEDA compliance wasn’t enough to meet the demands of the European Union’s legislation that was designed to protect privacy of their citizens regardless of geography. But a culture of privacy protection works in your favour. Just as your PIPEDA compliance was good prep for GDPR, the PIPEDA amendments should be easier to wrap your head around now that you’re GDPR compliant.
These updates impact your IT team, but you’ll need to collaborate across the organization for effective PIPEDA compliance. Security, legal and communications staff all need to be on board. Protecting privacy isn’t just about technology, it’s a mindset, so you’ll need a executive champion to lead and maintain the necessary culture shift in the organization.
But if you want to boil down the latest PIPEDA compliance requirements into a plan of action, here are five things you should do:
- Know your data: PIPEDA and GDPR both require that you understand how a person’s person data flows through the organization—how it’s collected, how it’s moved, how it’s stored, and most of all, what it’s being used for. You need to map all personal and sensitive data, and you might want to consider not collecting unnecessary data—once you have it, you’re responsible for safeguarding it.
- Revise policies and procedures and create new ones: GDPR required new ways of thinking, and the PIPEDA update specifically requires a process to notify data subjects of a breach—again, just like the European legislation. Beyond that, you need to think about how it affects your business processes that involve data collection, such as marketing and customer onboarding.
- Automate where possible: Privacy protection is dependent on good information security practices, which today can no longer depend on people alone. Just as good security takes advantage of artificial intelligence, machine learning, the embedded features of a modern operating system, and smart devices that can help protect against threats, you need be proactive and not reactive, and embrace privacy by design. You should have an information management system that can track breaches, just as you would with any other IT issue.
- Run fire drills: Like any disaster recovery and data protection plans, you should periodically test your breach response plans to make sure everyone plays their part should a breach occur because it’s not a matter of if, but when. You want your breach response process to be by the book, so you can minimize risk and potential litigation.
Privacy has been the new normal since the initial inception of PIPEDA, but it’s a landscape that continues to evolve—the legislation was intended to be reviewed every five years since being introduced more than 15 years ago. What’s most important to remember with these latest updates is that PIPEDA compliance is a mindset and protecting sensitive data needs to be part of your organization’s culture. Thinking about privacy intentionally will help you stay compliant in the long run, no matter how regulatory frameworks or legislation evolve.
Gary Hilson is a freelance writer with a focus on B2B technology, including information technology, cybersecurity, and semiconductors. A revised version of this article was published on Tektonika Canada.