February 27, 2019 by David Smagata, DAS
How can small businesses stay compliant under PIPEDA?
The Office of the Privacy Commissioner of Canada has published various online resources for both individuals and businesses to help better understand their obligations under the Personal Information Protection and Electronic Document Act (“PIPEDA”). Here are 3 tips on how small businesses can stay compliant under PIPEDA:
In the event of an investigation under PIPEDA, there are three stages. Once an investigation begins, either initiated by an individual complaint or an issue that was identified by the Office of the Privacy Commissioner of Canada (OPC), it moves into the ‘Intake’ stage. During this stage, the unit reviews complaints and gathers additional information to move into the ‘Investigation’ stage. Once the complaint is accepted, the investigation commences. If the complaint cannot be easily resolved, a formal investigation will be required. The complaint may then move through the ‘Further Enforcement Tools’ stage. Following the completion of the Privacy Commissioner’s investigation, a business can then face civil action for damages from the individuals who were affected by the breach.
As of November 1st, 2018, regulations came into place now requiring organizations to notify affected individuals and the OPC in the event of a serious data breach. Organizations must keep a report of all breaches, but only need to report breaches that pose a real risk of “significant harm”. In assessing whether a breach creates a real risk of significant harm, the organization will need to consider: the sensitivity of the personal information, and the probability that the information has been, is being or will be, misused.
Taking steps to ensure your business remains compliant under federal privacy laws will require time and commitment from your organization. It also just makes good business sense, as your customers place a high value on you taking all steps possible to keep their data safe. Fortunately, business owners can use the numerous resources, published by the Office of the Privacy Commissioner of Canada that will help ensure they remain compliant. For more information visit: https://www.priv.gc.ca/en
As Chief Legal Officer and an Insurance Executive, David Smagata leads Claims, Compliance, and Legal in the management of compliance risk, liability and litigation, and corporate oversight for DAS Legal Protection Inc. With almost 20 years of experience in litigation, in conjunction with strong managerial and operational background experience, David brings an insightful and proactive approach to legal issues and a unique ability to solve complex legal and corporate challenges in the financial services field.