On November 1st 2018, major amendments are being made to Canada’s federal Personal Information Protection and Electronic Documents Act or PIPEDA in coherence with the European Union’s recent edict, the General Data Protection Regulation. These changes will require data-collecting organizations across the country to align their privacy posture.
Personal information includes any factual or subjective information such as name, birth date, medical history and income. The new PIPEDA rules require domestic and foreign organizations to report all breaches of personal information to the Office of the Privacy Commissioner of Canada, keep records of breaches and notify individuals about all breaches that put them at “a real risk of significant harm.” Harm can be classified as bodily harm, identity theft, job loss or damage to reputation. Failure to comply could result in an investigation by the Privacy Commissioner, hefty fines or reputational consequences.