Federal, provincial and international regulations are all applicable to Canadian companies that store any kind of digital data. Keeping on top of all of the regulations that are already in force is difficult enough, and a new digital privacy law is coming into effect in California that will affect Canadian companies storing data on Californians in 2020.
Because of all of these regulations, it is more necessary than ever to select software solution vendors that are secure, reliable, and less likely to subject your private company data to a breach of any kind. It is also wise to involve the Legal Department of your corporation in any decision-making regarding IT so they can review solutions to see if they are compliant with current regulations. Depending on the undertaking, anyone from general counsel to Legal Directors should examine existing and new IT products if they will impact data security in any way – and most IT solutions do.
The following are most of the regulations at the federal, provincial and international level that need to be addressed by data security measures in your business. Meeting requirements for one does not necessarily mean meeting requirements for them all, so they should all be examined to form policies for your organization that can be used when purchasing IT solutions, collecting data on clients, and responding to any data breaches at your organization that may occur.
Federal Canadian Regulation
Area of purview: Any data stored by a Canadian for-profit business
PIPEDA governs not just digital information, but any private information collected in the course of doing business. The Digital Privacy Act was put into force in 2015 and updated in 2018 in order to update PIPEDA to include regulations for what businesses need to do in the event of a data breach, and additional digital security measures that need to be taken with personal information. We have covered the Digital Privacy Act and what it means for your business, but the summary is that if a data breach occurs, your company has a duty to record the breach, no matter how low-level, and notify the individuals who had their data breached. If it does not, it is subject to significant penalties. This heightens the need for cyber security measures that protect your data, network, and IT infrastructure.
The Office of the Privacy Commissioner of Canada has an extensive resource section to assist your business with PIPEDA compliance.
Provincial Regulations
If your business operates in Alberta, Quebec, or British Columbia, your provincial regulations have been deemed similar enough to PIPEDA and can be used in place of it in some cases. However, your legal department should examine the requirements for both sets of regulations to ensure that your business is in compliance with both. For all other Canadian provinces, PIPEDA applies.
Alberta
Personal Information Protection Act (PIPA) (2003)
Area of Purview: All private sector businesses in Alberta. Unlike PIPEDA, nonprofits engaged in commercial activity are subject to PIPA.
Quebec
Area of Purview: All private sector businesses in Quebec.
Act Respecting the Protection of Personal Information in the Private Sector (1993)
British Columbia
Personal Information Protection Act (1997)
Area of Purview: All public and private sector businesses in British Columbia.
Provincial Regulations International Regulations That Affect Canadian Business
The following international regulations can affect Canadian businesses that are storing data pertaining to EU and American citizens.
General Data Protection Regulation 2016/679 (GDPR) (2018)
Area of Purview: Any business storing data on EU citizens.
The GDPR imposes large financial penalties on any business which does not disclose a data breach of data involving EU citizens. This makes it imperative for any Canadian business which does business internationally to choose secure software solutions that keep their data safe.
Clarifying Lawful Overseas Use of Data (“CLOUD”) Act (2018)
Area of Purview: US-based businesses and any Canadian business that is using cloud technology solutions that are based in the US.
This act allows the American government, and even foreign governments, to request access to any data as long as it is stored in the United States. This includes popular services such as Amazon, Google, and Microsoft. While tech companies can challenge these requests, and frequently do, it gives Canadian companies another reason to keep their data in Canada. It also raises questions about proper compliance with the GDPR.
California Consumer Privacy Act (CCPA) (2018)
Area of Purview: One of the following qualifies a business for being liable under the CCPA. Any business which has annual gross revenues in excess of $25 million, possesses the personal information of 50,000 or more consumers, households, or devices; or earns more than half of its annual revenue from selling consumers’ personal information.
Amendments to the California Consumer Privacy Act will come into force on January 1, 2020. These amendments require companies to inform their users if their information may be sold, require companies to disclose the monetary value of user data, and more. Former Privacy Commissioner, Ann Cavoukian, stated in an article for ITBusiness.ca that she does not believe Canadian businesses have anything to worry about when it comes to the new CCPA amendments, as long as they are in compliance with PIPEDA.
If you are looking for a corporate governance software solution, DiliTrust Governance meets and exceeds requirements for all federal, provincial and international regulations. DiliTrust Governance enables your legal department to manage complex real estate holdings, contracts, and anything else. Secure file storage and transmission, as well as other measures informed by cybersecurity best practices keep your sensitive company data – and personal data of individuals – guarded from breaches or unauthorized access. Contact us today to find out more about what we can do to streamline your legal department’s operations with DiliTrust Governance.
