In November, changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) took effect. The Act sets out the ground rules for how businesses subject to the law must handle personal information in the course of commercial activities. Nearly every business collects personal data of some kind these days, even an email newsletter can put a business at risk. The changes included things such as mandatory breach reports and records, steep fines, and enforced privacy notifications to affected individuals. In addition, new regulations were imposed on a variety of business aspects, including advertising and marketing, cloud computing, outsourcing, and more.
Since all these changes went into effect in November, a CIRA Cybersecurity Survey Report found that 38 per cent of Canadian businesses lacked awareness of the PIPEDA requirements—and that was the old requirements.
So how do you know if your business is affected?
1. Take inventory of your business data
Do you know how the data your business collects is being used? Do you know where it’s being stored? Are the tools your business uses compliant, and if not, who’s liable? The changes to PIPEDA require that businesses implement safeguards to protect their data. This can mean everything from locks on filing cabinets to data encryption to a DNS firewall. Cybersecurity is now an important duty to your customers and includes making sure anyone who has access to personal data understands their responsibility (i.e. no more password123 please).
2. Understand the criteria.
Under PIPEDA, the definition of organization includes an association, a partnership, a person or a trade union. Organizations covered by the Act must obtain an individual’s consent when they collect, use or disclose the individual’s personal information.
WHAT IS “PERSONAL INFORMATION”?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
WHAT IS NOT COVERED BY PIPEDA?
There are some instances where PIPEDA does not apply. Some examples include:
3. Plan ahead.
Appoint someone within your organization as the designated privacy official. Provide them with the support and authority to intervene on privacy issues relating to any of your organization’s operations, and develop policies and procedures to protect personal information. Regularly assess your privacy management program and address any shortcomings pro-actively. Be prepared to demonstrate that you have a privacy management program in place and that it is being followed. Make information available explaining your privacy policies and procedures to customers.
4. Educate yourself.
The Privacy Commissioner of Canada’s website has lots of resources available. Make sure you and your designated privacy official are up-to-date on the requirements and how they affect your business directly.
If you have questions about how PIPEDA compliance can affect your business, reach out to us. We can help.