The Canadian government has set November 1st as the official date that the new Digital Privacy Act will be implemented. On this day, all private Canadian organizations will need to ensure that they have adhered to the rules defined by this new act. The document outlines regulations regarding the protocols of handling data breaches – specifically, who and when need to be notified in the event of data leakage. According to the Privacy Act, fines of up to $100 000 can be issued if an organization fails to notify a data breach to either the Privacy Commissioner of Canada, or the customers affected. Below are three important rules outlined by the Digital Privacy Act.
Reporting to the Privacy Commissioner of Canada
In the event of a data breach, the incident must be reported to the Privacy Commissioner of Canada as soon as possible. This report must contain as much of the following information as is known at the time. Firstly, it must outline the causes and depth of the breach, as well as the time that it occurred. The report must also include an estimate of the number of people who will be affected. Furthermore, it must include information on the strategy that the organization plans to employ in containing and repairing the breach. Finally, contact information of a person who can continue communications with the Privacy Commissioner needs be provided.
Reporting to the Impacted Customer
A similar report outlining the causes, scope, and reparation strategy must be provided to the individuals who are affected by the data breach. The Data Privacy Act outlines that this communication must be done in one of two methods – directly, or indirectly.
Direct communication includes methods such as email or over the telephone, while indirect communication involves public announcements.
However, indirect communication can only be used in the case of one of the following circumstances: If direct communication would cause more damage to the affected person, if direct communication would require undue hardship to the company, or if no customer contact information is available.
Keeping reports after Data Incidents
Finally, the Digital Privacy Act states that records of a data breach incident must be kept for a minimum of 2 years after the company first detects the incident. The Government of Canada states that this record-keeping will have numerous benefits to the IT security industry. In a statement, they noted that stricter reporting will ensure that affected individuals have the tools to become informed and protect themselves. Furthermore, the availability of these reports will create industry standards for handling these data breaches. This will overall have positive impact on the ability for Canadian organizations to deal with cybersecurity incidents.
Become prepared for the quickly-approaching deadline with GigE’s team of IT security Technicians. Call us at +1 888 366 4443 for a consult today.