The Digital Privacy Act – What you need to know



The Digital Privacy Act – What you need to know

snIP/ITs Blog  Cyberlex Blog

The Digital Privacy Act (known as Bill S-4) became law on June 18, 2015 and changed the landscape with respect to cybersecurity and data protection in Canada. It significantly amends and updates the Personal Information Protection and Electronic Documents Act (PIPEDA), and impacts all companies previously covered by PIPEDA. 

In particular, the Act changes the metrics of risk management and evaluation. The measures undertaken by companies under the PIPEDA regime must be revisited to ensure compliance and disciplined risk assessment under the new legislation.

Business Impacts

·         New rules for reporting data breach: The obligation to report a breach of privacy safeguards has been expanded in a way that may create confusion about what needs to be reported and, just as importantly, what does not. Reporting overreach may be one unintended consequence of the legislation. Businesses will have an opportunity to prepare in advance as this is the only portion of the new law which is not yet in force, but is expected to be so soon.

·         New rules for recording and internal audit: Notably, a due diligence defence is not specifically contemplated in the statute. It imposes a higher standard on recording security breaches and formal internal audit processes to remediate identified issues. Failure to record security incidents attracts a potential $100,000 fine per violation.

·         New standards for consent: The Act introduces a sliding scale of what constitutes informed consent to collect, use and disclose personal information. Organizations that collect personal information from minors or seniors, for example, may be held to higher standards of disclosure and consent. Companies may be required to audit and revise existing privacy policies and to differentiate policies for specific demographic groups.

·         Broader enforcement power and larger fines: The Act gives greater enforcement power to the Office of the Privacy Commissioner of Canada, mirroring, in many ways, the function of its U.S. counterpart, the Federal Trade Commission. This may result in more enforcement actions taken against companies, coupled with larger, wider-reaching fines applicable to incidents of non-compliance and privacy breach. How aggressively and how quickly the Privacy Commissioner’s office pursues these compliance actions remains a variable.

How we can help

We offer the resources of Canada’s first multi-disciplinary Cybersecurity, Privacy and Data Protection group.  Our team can assist with a review of existing privacy, data protection and document retention practices against the backdrop of new obligations imposed by the Act. This audit includes a risk assessment and gap analysis, and will involve the organization’s technology, risk management, compliance, marketing and legal personnel.  From there, we help you develop a strategy to upgrade, document and rollout preparedness and breach response processes, and are able to provide internal training to nurture buy-in at an operational level.

In an effort to provide our clients with proactive and practical advice, we have developed a suite of Client Solutions that address both readiness/compliance and data breach / privacy crisis response. These scalable solutions include toolkits, processes, risk matrices and outcomes designed to reduce your risk exposure, with the added benefit of cost certainty.  Our Document Retention Toolkit, Digital Privacy Act Compliance Diagnostic and Incident Readiness and Response Plan Diagnostic are just a few solutions we offer within our suite of cyber-related risk management solutions.

More broadly, we have developed a Cybersecurity Risk Management guide designed to help companies think critically – at a high level – about both their preparedness and crisis management protocols.

To discuss your compliance efforts or to obtain a copy of our materials, please contact:

TORONTO

Barry B. Sookman
416-601-7949
[email protected]
View profile

MONTREAL

Charles S. Morgan
514-397-4230
[email protected]
View profile

TORONTO

Daniel G.C. Glover
416-601-8069
[email protected]
View profile

CALGARY

Catherine M. Samuel
403-206-5528
[email protected]
View profile

TORONTO

Kirsten Thompson
416-601-7797
[email protected]
View profile

VANCOUVER

David Crane
604-643-5891
[email protected]
View profile

Analysis from our team:

Businesses Should Re-evaluate Approach to Privacy with Passage of Digital Privacy Act

The Digital Privacy Act – full text

Client Solutions:

Digital Privacy Act Compliance Diagnostic

Incident Readiness and Response Plan Diagnostic

 

 

Blogs


 
  Cyberlex Blog

  snIP/ITs Blog