Under Canada’s newly enacted Digital Privacy Act, corporations now face severe penalties if they do not properly notify affected individuals when their information is breached. This puts the need for heightened cyber security measures sharply into focus and makes choosing secure software solutions critical.
On November 1, 2018, the Digital Privacy Act went into effect in Canada. The Digital Privacy Act is an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the storage and protection of personal data. While not as restrictive as the European Union’s General Data Protection Regulation (GDPR), the new regulations under the Digital Privacy Act open Canadian businesses up to significant penalties if they do not safeguard personal data and properly report any breaches that occur to the affected individuals.
New Breach Notifications and Record-keeping Mandatory Under the Digital Privacy Act
Under PIPEDA, Canadian businesses have to properly safeguard personal information with security measures appropriate to the sensitivity of the data. The Digital Privacy Act makes it mandatory to notify affected individuals of a data breach when there is a “real risk of significant harm” to the individual. These notifications need to be made directly to the individuals affected via email, phone, letter to their most current address, or in person.
If there are any breaches, no matter how inconsequential they may seem, the organization must now make a record of them. For example, if a third-party contractor sits down at a computer with customer data on the screen that they should not have access to, that incident would have to be logged.
Financial Penalties for Failures to Notify And Log Data
The penalties for not reporting and notifying affected individuals of data breaches are significant. Organizations are liable for up to $100,000 in fines, and this extends to directors who are personally liable for fines up to the same amount. Canadian law firm McInnes Cooper cautions that organizations also leave themselves open to civil lawsuits, investigation by the Office of the Privacy Commissioner, and significant reputational damage.
It is also worth noting that Canadian businesses are liable for much larger penalties under GDPR legislation. Any large corporation is probably going to have data from EU citizens in its datasets. If this data is breached, the corporation could be subject to fines under the GDPR that are up to 4 percent of the annual worldwide turnover of the corporation.
penalties for Failures to Notify And Log DataCyber Security is Now a Risk Management Consideration
One in five Canadian businesses were hit with a cyber security breach in 2017. The costs of recovering from these breaches are much higher than any preventative measures would have been. Now, with the Digital Privacy Act and the GDPR in play, corporations can no longer take a “wait and see” approach with cyber security.
All software from DiliTrust, including the DiliTrust Exec board portal and DiliTrust Governance corporate legal software solution, uses extra security measures to guard against data breaches and cyber attacks. All data from DiliTrust solutions is stored on servers in Canadian data centres for our Canadian clients, and DiliTrust solutions are in full compliance with PIPEDA and the GDPR. Since DiliTrust is headquartered in France, it is the only board governance software provider that has coded its solutions from the ground up in full consideration of the GDPR, which is far more restrictive than PIPEDA even with the new amendments of the Digital Privacy Act.
If you would like to find out more about our software solutions for your board communications and corporate governance that go over and above best practices recommended under Canada’s Digital Privacy Act and the GDPR, contact us today for more information.