If you owned gold bars, would you keep them safe? Of course you would. Gold is valuable but so is personal data. Data may not have massive financial value at first glance, in and of itself, but it is valuable to the cybercriminal and thus to the individual this data represents.
During the first half of 2018, over 18.5 million data records were stolen every day; most of them unencrypted.
Data is the new gold. It may not seem on the surface to have the same value as gold, but to our customers, it can represent their very identity. We must now ask ourselves – what does Canadian legislation on data privacy do to help us to protect our customers?
Disclaimer: This blog article was written for general information and does not claim to provide legal advice. To understand the full context of Canadian data privacy legislation for your organization, please consult with a privacy compliance and/or legal professional.
A look at the data privacy landscape in 2019 demonstrates that nothing much has changed. In the United States, for example, a mosaic of laws, bills, and regulations exist; the debate on consolidation across data privacy legislation continuing unabated.
In fact, across the world, there are more than 25 different laws that aim to regulate the processing of personal data. These include:
Canada, along with several other countries, is taking a lead on data privacy.
The Personal Information Protection and Electronic Documents Act (PIPEDA) has been compared to the EU’s GDPR. It sets out national standards for data privacy best practice. As a federal law that applies to the private sector, it brings user-centric data control into the forefront of online transactions.
PIPEDA recently extended the requirements of the act, by adding in mandatory breach notification requirements. As of November 1st, 2018, both small and large organizations that come under the jurisdiction of PIPEDA must:
Fines for non-compliance with PIPEDA’s breach notification requirements can be up to $100,000 CAD.
The report from the OPC looked at how the Equifax breach affected Canadian citizens, especially in light of the PIPEDA breach notification requirements. The report concluded that Equifax’s security program was severely lacking in terms of vulnerability management and even basic security measures.
The charter has a number of key drivers behind its creation that will ultimately inform its uptake:
A number of pieces of a privacy jigsaw puzzle are coming together in the Canadian Data Privacy Landscape and feeding into the need for a Canadian Digital Charter.
Elements of the Canadian Digital Charter
The Canadian Data Privacy Landscape is becoming a tightly woven and interconnected framework built around a robust charter. This charter works to ensure that personal data is shared in a respectful and security-enhanced, manner.
Data is the new gold, and as such, respect for the privacy and security of this commodity can be a major selling point for a business.
A report by Akamai found that 46% of consumers would ‘give a pass’ to an organization who suffered a data breach. This month, Apple released news about a new privacy-enhanced AppleID, “Sign In With Apple”.
Companies across the world are recognizing that good privacy builds better relationships. World governments too are reflecting this with laws and regulations that have nuanced angles on how the data of the individual should be treated.
Canada is leading the way in this area, focusing on the complex issues of privacy across industry and borders. The gold in our digital lives has opened a Pandora's Box that looks set to be closed but only when this debate has been satisfied for all involved.
If you’d like to find out more about your various data privacy obligations, we recommend conducting a privacy impact assessment. It helps public and private entities understand, evaluate and meet their various privacy obligations such as those mentioned in the Privacy Act, PIPEDA, GDPR or any provincial/state law.
Hitachi Systems Security approaches security and privacy as interrelated concepts which must inform each other. Creating a privacy concept while meeting legal requirements involves an interdisciplinary approach with several areas of expertise.
What’s unique at is that we have three areas of expertise under one roof – cybersecurity, legal and compliance/risk management expertise. Our legal, compliance, and cybersecurity experts work hand in hand to deliver a thorough privacy impact assessment that will be actionable, intelligible and measured against all standards.