Riddle us this: how is it possible for Canadian organizations to meet mandatory privacy and compliance requirements when the very perception of what is a threat and what is personal information is not broadly understood? The ActiveCo team spent hundreds of hours, working with the Innovation, Science and Economic Development Office of Canada (the creators of the legislation), to fully understand how the scope of the “Breach of Security Safeguards” legislation could be implemented to the degree the government needs. The first step was understanding the legislation, the next step was defining it for our clients.
What’s Changing?
The incoming legislation requires Canadian organizations to proactively notify individuals, customers, affected third parties and the federal Office of the Privacy Commissioner (the OPC) in the event of a successful security breach. Note that security breach reporting is now mandatory (as of November 1st, 2018). If ignored, this could trigger an investigation into your organization’s practices… and potential fines are substantial for not having the proper procedures or policies in place.
Only 4 out of 10 Canadian organizations have a policy or procedure established at this moment to adapt to this legislation’s requirements. If you don’t know what your policies are, call us before continuing on and we’ll walk you through Step 1 (see below!).
How Do the “Breach of Security Safeguards” Regulations Impact You?
Many of you may remember the commercials in the 1990s about a Pepsi delivery driver and a Coke delivery driver exchanging drinks. This is a great example of something that, today, could easily get one of those individuals fired. Funny at the time but impactful today.
Busted. And fired.
However, not every situation is so cut-and-dry. One person being photographed at a ball game with a beer in each hand may just be a silly picture of a day in their life. That same person being your key sales representative photographed at a ball game with a beer in each hand…could potentially threaten their, and your business’, reputation and credibility.
You may be thinking, “…seriously?” right now after that example, but, yes, seriously indeed.
Many of our initial inquiries and conversations with the writers of this legislation hovered around the topic of what may trigger an investigation. We can summarize the top three:
1. The Office of the Privacy Commissioner spot checks you.
2. An anonymous tip points the OPC in your direction, instigating an investigation (ie – disgruntled employee)
3. A successful security breach must be proactively reported; how prepared your organization is helps dictate how invasive that investigation is (or isn’t).
How do business owners protect their organization?
By understanding what is expected beyond your original compliance “starting point”. That means that every Canadian organization will go through tremendous growing pains navigating the OPC’s expectations. Who will help business owners navigate that? It’s not The OPC; aside from providing online reading materials, little guidance is being given from government bodies.
This is where ActiveCo’s hundreds of hours of research, coordination with the government and production of our own proprietary software to streamline the compliance process comes in. We did the work, so you don’t have to!
Step 1 – Security Posture Assessment
There is no organization too small to not be impacted by the “Breach of Security Safeguards” legislation, the digital world is too risky to continue the way things were done before. ActiveCo has communicated and reviewed with the Innovation, Science and Economic Development Office of Canada, to ensure we understood it’s impact to all industries (so we could provide guidance to our clients). Step 1 to pursuing compliance is establishing your current status; where does your organization stand today within the requirements being laid out?
Your Security Posture Assessment with ActiveCo helps lay the groundwork to move forward. If your organization has not begun on any compliance needs, please reach out to ActiveCo immediately at 1.866.931.3633.
Related Article: Why Canadian Cannot Ignore Canadian Compliance Legislation
