8 February 2018 | by David Fraser


Part V: Is Your Business Ready for Mandatory Privacy Breach Reporting?

[Editor’s Note: A version of this blog previously appeared on David Fraser’s Blog. This blog has been edited to appear in 5 parts]

In David’s previous post, he introduced what the impacts will be on business, consumers and the Office of the Privacy Commissioner of Canada (OPC) as well as the social and economic benefits of this required breach reporting. In this post, he introduces the impact on Small Business lens and the implementation, enforcement and service standards for all businesses to adhere.

Small business lens

The small business lens does not apply because the estimated nationwide cost impact of this regulatory proposal is less than $1 million per year.

Implementation, enforcement and service standards

The proposed Regulations would come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1 of PIPEDA. The coming into force of the statutory requirements will be established through a subsequent Order in Council once the Regulations are final.

The proposed Regulations will allow for a delayed coming into force after the publication of the Regulations. This will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience.

In the meantime, ISED will work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. Particular consideration will be given to providing guidance on conducting a risk assessment.

Enforcement of the proposed Regulations would reflect the existing compliance regime under PIPEDA, whereby the Commissioner is responsible for providing oversight and investigating complaints. Record-keeping plays a key role in the oversight regime — the Commissioner can conduct an audit or launch an investigation based on a record or group of data breach records. The OPC will also use data breach information to increase awareness and understanding of the extent and nature of data breaches in Canada.

New provisions for offences and fines for willful and deliberate contravention of these new requirements were imposed by the Digital Privacy Act. As per other contraventions and offences under PIPEDA, courts are authorized to impose fines pertaining to a contravention of the data breach reporting provisions and to order non-compliant organizations to change practices.

ISED will evaluate the need for amendments to the Regulations on an ongoing basis based on results of data breach reporting that are provided by the OPC, and on informal stakeholder feedback from regulated organizations.

This concludes this 5 Part series. For more information on mandatory breach notification, check out David’s blog.

Read the other posts in the series:

[Part 1] [Part 2] [Part 3] [Part 4] [Part 5]

For information on how you can help mitigate data breaches and protecting your business against up to 80% of common internet threats, learn about Cyber Essentials Canada –

Cyber Essentials Canada



Latest Posts

Looking for more information on Certification and Cybersecurity Updates?