How Exposed Is Your Organization Under the November 1, 2018, Digital Privacy Act?
Compudata Can Lead Your Business Away From Risks that Include:
- Data loss
- Failure to meet obligations
- An official investigation of your business
- Civil lawsuits
- Devastating reputational damage
New Mandates Handed Down By Ottawa Work to Better Protect Personal Data
Enhanced privacy rules designed to better safeguard personal data have gone into effect as of November 2018. Under the new Digital Privacy Act, organizations that were already subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are now more accountable and closely scrutinized for the way that they keep records and notify their clients in the event of a data breach.
Compudata is ready to field all of your questions about your organization’s readiness to regulate the sensitive personal information you have access to. Canadian law already obligates organizations to secure sensitive personal information, such as medical and financial information, in a manner that is appropriate to the sensitivity of the material. The new Digital Privacy Act, however, extends liability for organizations that fail to meet the required protocols outlined by PIPEDA.
Every organization that is subject to PIPEDA compliance also needs to meet the criteria found in the Digital Privacy Act. This includes any private sector organization that collects, uses, or discloses personal information in the course of commercial activity in Canada, except for Quebec, Alberta, and British Columbia which already has provincial legislation in place similar to PIPEDA. The act also applies to foreign organizations that do business in the affected regions of Canada.
The new mandate extends organizational responsibility for data breach reporting. Some terms every organization should be aware of include:
Breach of Security Safeguards
The Digital Privacy Act expands on what is commonly understood to be a breach of security and privacy standards. It defines a breach of security safeguard as a situation that happens when there is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards… or from a failure to establish those safeguards.
This presumes the responsibility of notifying parties that fall victim to an internal security breach scenarios, including unauthorized observation of protected information. This language presents a major shift in responsibility for any organization that handles a consumer’s private information.
Real Risk of Significant Harm
The Digital Privacy Act also expands the definition of “significant harm” to include bodily harm, humiliation, reputation damage, relationship damage, loss of employment, loss of business or personal opportunities, financial loss, identity theft, negative effects on the credit report, and damage to or loss of property.
The Digital Privacy Act carries with it some very serious consequences for organizations found to be in non-compliance. These include:
- Organizational and Administrative Exposure to Fines up to $100,000 - While not a criminal offence, the penalties are in line with those of criminal offenders. Failure to meet the obligations under the mandate exposes organizations to large fines and individual scrutiny.
- Investigation - As with non-compliance with the PIPEDA mandate, organizations found to be in breach of the Digital Privacy Act, stand to be investigated by the office of the Privacy Commissioner. These investigations are often costly and public.
- Civil Lawsuits - Affected parties may choose to file civil litigation against the organization responsible for the breach. Since the resources necessary to fight a civil lawsuit are substantial, many smaller businesses may find it difficult to sustain operational integrity while the situation plays out in a very public setting. Since insurance can’t always be depended on to cover the cost of civil action, staying proactive and vigilant is always going to be an organization’s best strategy.
- Reputational Damage - It goes without saying that any time an organization's brand is publicly exposed for putting customer information at risk, it can have major negative consequences for that organization.
What Can I Do?
To stay in compliance with the Digital Privacy Act you better understand where your IT infrastructure and policies stand in coordination with mandated laws. Building a comprehensive strategy that will allow your organization to meet the requirements that keep it compliant with the new mandatory privacy breach response provision in the Digital Privacy Act is essential to its long-term sustainability.
At Compudata, our certified IT experts can help you produce a proactive strategy that will work to protect your clients and your business. Our team knows exactly how to help you mitigate organizational risk by helping you meet the challenges presented by PIPEDA and the new Digital Privacy Act head on.