Blog Post
Canadian Privacy Update: Changes to Privacy and Cybersecurity Laws May Tighten Data Protection Compliance in Canada
Our team recently shared insights on the impending changes to Canadian privacy law. While the changes remain in committee within Canadian Parliament, they continue to be important developments for organizations to watch and prepare for the implications of their passage. This post reshares the takeaways from the previous one.
Canadian Parliament is still considering the passage of the Digital Charter Implementation Act (Bill C-27) and the Critical Cyber Systems Protection Act (Bill C-26), laws that will simultaneously strengthen data privacy and data protection requirements in Canada and replace or amend other existing regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA). If these laws are passed in their entirety as expected, organizations in Canada may have little time to implement compliance.
What’s notable about these bills is how they stand to dramatically change how Canadian organizations will be required to manage and protect personal data. The apparent intent is for Canada’s official stance on data protection to closely emulate the European Union’s, under the General Data Protection Regulation. Initially, enforcement action will likely focus on data breaches — as organizations issue the required notifications following a breach, the government will have the authority to closely examine their governance and cybersecurity infrastructure to determine whether it meets established standards.
In addition to elevating Canada’s foundational data protection requirements to a similar level of rigor as GDPR, the new laws are positioned to increase the penalties for data breaches and data privacy violations from the current maximum of $100,000 under PIPEDA to $25,000,000 or 5% of an organization’s entire global revenues, whichever is larger. General counsel and the board of directors may also be held personally liable and may be subject to fines separate from or in addition to any penalties levied against the company.
Many organizations in Canada remain ill prepared to meet the stringent compliance requirements proposed in Bill C-26 and Bill C-27, putting their businesses at significant potential risk given the scale of the monetary penalties. While a portion of large organizations in Canada operate internationally and therefore may have programs in place to comply with GDPR or U.S. laws such as the California Consumer Privacy Act, countless others have not even conducted information governance, privacy and cybersecurity assessments to understand their gaps and vulnerabilities. Likewise, organizations that have not been anticipating these changes to Canadian law have likely not allocated the budget, resources or strategic planning that will be needed to quickly and effectively implement new data protection policies, processes, technology and controls.
Another critical aspect of change under these impending laws is the addition of private rights of action. Whereas many privacy laws are enforceable only by a regulatory body or attorney general, Bill C-26 and Bill C-27 are written to provide private rights to citizens so they may take direct action against an organization for misuse or breach of their personal information. This stipulation could set a new standard for privacy compliance, as it will require organizations to apply stronger diligence to mitigate potential risk relating to individual or group actions.
Given this backdrop, there are several important considerations and steps organizations can begin to address while waiting for final decisions in Parliament. These include:
- Evaluate the current state of data protection, cybersecurity controls and governance across the organization and assess rigor according to NIST and other leading standards bodies. Assessment should account for nuances relating to industry, as organizations in certain sectors may have less sophisticated data controls than others (e.g., energy, manufacturing) and/or a higher volume of personal data within their systems (e.g., health care and consumer services).
- Take a data inventory to determine what types of sensitive information is collected, stored, used, shared, etc., within the organization and how it flows between different internal functions and outside parties. Special attention should be given to personally identifiable information, personal health information and payment card industry data, all of which are focus areas of the Canadian government’s enforcement objectives.
- Documentation of processes and all diligence steps taken to strengthen data privacy and cybersecurity. Any organization that experiences a breach will need to defensibly prove to the government that they have taken a comprehensive approach to preventing data breaches and adequately protecting personal information.
- Consider and closely examine how company data is shared with third parties, whether those activities are in compliance with data privacy rules, and what protections third parties have put in place to prevent data breach or exposure of personal information.
Strong information governance, privacy policies and cybersecurity practices are increasingly linked to an organization’s resilience against digital risk. Soon, best practices are likely to become required under law in Canada. While some organizations may be reluctant to invest the time, resources and budget needed to implement rigorous programs, doing so helps reduce the downstream costs, regulatory penalty and legal issues that can arise in the wake of a data breach or other incident in which sensitive data is exposed.
Related topics:
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.