In his recent annual report to Parliament, Canada’s Privacy Commissioner Daniel Therrien called for legislative reform. He referenced recent privacy developments that have major impacts on Canadian companies - big and small.
Here is what you need to know.
Mandatory Breach Notification - Are You Ready?
Canada’s mandatory data breach regulations take effect on November 1, 2018. Organizations that experience a data breach must:
- Determine if the breach poses a “real risk of significant harm” to any individual whose information was affected involved by conducting a risk assessment. The assessment must consider the sensitivity of the information, and the probability that it will be misused;
- Notify affected individuals and report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, if the breach poses a real risk of significant harm;
- Notify any organization that might be able to mitigate harm to affected individuals;
- Maintain a record of all data breaches and provide it to the OPC on request.
The OPC has draft guidance to help businesses comply with these requirements. A final version will be available soon. The guidance offers advice on how quickly a breach should be reported, the way it should be reported, and more.
Read more about data breach regulations.
Obtaining Meaningful Consent
The Guidelines for obtaining meaningful consent , released by the OPC earlier this year, raise the bar for consent under the Personal Information and Electronic Documents Act (PIPEDA). Regulators consider a significant portion of the Guidelines to have the force of law and expect all organizations to adopt them by January 1, 2019.
The Guidelines articulate more rigorous procedures for consent and require organizations to more explicitly highlight four key elements:
- what information is being collected;
- with whom it is being shared;
- for what purposes it is being collected, used or disclosed, and
- meaningful residual risk of significant harm.
The arguably new requirement to disclose significant potential risks of harm – whether financial, emotional or reputational – will impact open-ended information collection practices. A meaningful risk is one that falls below the balance of probabilities but is more than a minimal or mere possibility.
Read more on consent guidelines.
The Aftereffects of the GDPR
The EU’s General Data Protection Regulation (GDPR) is the most significant new data privacy regulation to be introduced anywhere in the world in many years. Due to the its extended extra-territoriality rule, it now applies to many Canadian organizations. Its requirements around personal data collection, processing and sharing have an unavoidable impact on data-driven programs used by today’s marketers.
Several jurisdictions outside of Europe are exploring how they can emulate the GDPR approach. In Canada, a Parliamentary committee called for significant amendments to PIPEDA. In addition, the Canadian government announced plans to develop a national data strategy discussed in the next section.
Read more about GDPR requirements and impact to Canadian organizations.
National Data Strategy
In June, the Minister of Innovation, Science, and Economic Development launched consultations to establish a national data strategy. Key pillars of the consultations include:
- Unleashing innovation: how can Canadian businesses remain competitive in a digital age, how can they adapt their traditional approaches, and how can they increase their ability to identify, adopt and implement digital and data-driven technologies?
- The future of work: how could new technologies impact the way we work, the jobs of tomorrow and the employment landscape?
- Trust and privacy: what is the right balance between supporting innovation and protecting privacy interests while promoting trust when it comes to data?
Read more about Canada’s National Data Strategy.
By Cristina Onosé | Director Government Relations at Canadian Marketing Association
Contact the Public Affairs team.