What's the Canada Digital Privacy Act and what are its new mandatory data breach response requirements?

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on November 1, 2018 and states that Canadian organizations will face onerous and strict new privacy breach response requirements with respect to any breach in data security safeguard. When it comes to the Canada Digital privacy act, every organization that collects, discloses and uses personal information while carrying out commercial activity must essentially follow new mandatory breach requirements. In this article, you will learn about Canada’s digital privacy act and its new mandatory data breach response requirements.

What is Canada’s Digital Privacy act?

The Canada Digital Privacy Act (DPA), also known as “Bill S-4,” came into effect on June 18, 2015. The Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada’s current federal data protection statute, is amended by DPA. The addition of mandatory breach notification requirements is considered to be the most significant amendment, which will come into effect only when the Government of Canada issues implementing regulations. Digital testing can also be carried out for effective scrutinization.

DPAs amendments to the PIPEDA include:

• Valid consents are obtained by a new graduated standard

• Additional exceptions to knowledge and consent requirements

• A specific “business contact” exemption provision on the revised definition of “personal information”

• Improved powers of the Canadian Privacy Commissioner, wherein in certain circumstances, the commissioner is allowed to enter into compliance agreements with organizations to make sure compliance with DPA

• The record of every breach needs to be required by the organizations.

Following are the five areas where Canada digital privacy act’s mandatory data breach response requirements are projected:

1. The new obligations should be well understood: When the compliance is being prepared, the requirements need to be understood by the organization and also consider when the new obligations, which are notification, reporting and book-keeping, are triggered. The procedures and policies should be properly implemented and in line with the law.

2. The third-party contractor risks need to be dealt with amicably: When compliance with the Digital privacy act is being prepared and the risks of non-compliance are mitigated, it also becomes important to review key third-party contracts. This, in turn, ensures that the accountability mechanisms for enabling reporting, monitoring and verifying their compliance to ascertain whether they are in line with the new requirements

3. Employee risks should be dealt with accordingly: Most of the data breaches, whether malevolent or accidental, may be caused by the organizational employees. A plan should be implemented to avoid data breaches by its employees. This plan is considered to be a data breach risk mitigation plan.

4. Paper trail: More organizations will be placed under mandatory response requirements, which may place them under public scrutiny and lead to more lawsuits. When a discoverable (those specific materials that need to be disclosed to other parties) paper trail is created by an organization for future litigation, then proper planning is done for the compliance process.

5. The privilege needs to be protected: When there is an increased likelihood of lawsuits, organizations must protect all the privacy gap analysis materials by legal privilege. If this is not done, then this material will be available for investigation exercised by the Privacy Commissioner. It can also be used as a civil lawsuit against the organization.

The liability and reputational risks can be significantly reduced when advanced preparation is done by organizations in case of any occurrence of such breaches. In certain scenarios, digital testing can also be conducted.

Conclusion: If you are looking forward to implementing digital testing for your specific project, get connected with a globally renowned software testing services company that will provide you with a tactical testing roadmap that aligns with your project specific requirements.