Since June 18, 2015, Canada’s Digital Privacy Act has made big changes to the protection of personal privacy, cybersecurity, and other issues involving the Personal Information Protection and Electronic Documents Act, which you may know better as PIPEDA. How do these changes affect your small business? What do you have to do to comply with the new requirements? Learn how you can use compliance to not only protect your company, but also your customers’ data.
The change that may affect you most? Individuals now must consent to use of their personal information, and organizations (such as your small business) must verify that individuals understand when their information is being used and how it’s being used. One big exception to this rule: When the exchange of information is related to criminal and fraud investigations, individual consent isn’t required, even if this exchange occurs between private organizations. One other exception allows organizations to exchange personal information without the consent of the individuals’ involved when finalizing business transactions.
The DPA requires organizations to inform people of personal information disclosure when a breach could cause significant individual harm. Your organization must also maintain clear records of every security safeguard breach of personal information you control. While this provision was initially unenforced, on Sept. 22, 2017, the Government of Canada amended DPA amendment 10, and Innovation, Science and Economic Development Canada released new regulations that detail potential rules for breach notifications and reporting. These new rules go into effect at the same time as the DPA amendment changes.
What Do the Changes Mean?
If you collect or store information, you now need a clear-cut policy for gaining informed consent and dealing with breaches per your DPA obligations. Failure to do so can result in a fine of up to $100,000. Because a fine of that level could easily destroy your small business, it’s vital that you review and update your cybersecurity rules and have procedures in place regarding notification of breaches. These procedures should establish a way to deliver individuals as much information as possible as soon as it’s feasible, and they should include recording the potential severity of each breach and the steps you’ve taken to lessen the damage. You need to keep track of even small breaches, as insurers may use this data to assess your risks and set your business’s premiums.
What You Can Do
If your business has an e-commerce component, you need a written policy about how you deal with data breaches, and your policy must be publicly available on your website for review. When setting up your online shopping cart, do so with cybersecurity in mind. Use a secure e-commerce platform, and ensure that your web hosting company provides you with secure connectivity for your shopping cart. Layered security, including firewalls, protects contact forms, logins, and searches against app-level attacks, such as XSS and SQL database injections.
Protect your personal computer and those of your employees from attacks by keeping antivirus and malware programs up to date, and consider a physical firewall appliance to put even more protection between you and data thieves. Educate your staff concerning social engineering schemes, or phishing attempts, that pose as internal emails luring workers to provide login data on fake websites. Using complex passwords and changing them regularly is also a good idea.
Though big penalties exist for those who don’t maintain compliance with DPA or PIPEDA, your small business can comply quite easily by taking common sense steps to maintain healthy cybersecurity practices that prevent breaches before they occur.