A Guide to PIPEDA Compliance for Canadian SaaS Based Companies

This article was provided by Carbide, a Software Secured partner. Carbide specializes in ensuring compliance with PIPEDA, HIPPA, SOC II and more.

Many countries have enacted data privacy laws to govern how organizations collect, handle, store, and transmit certain types of data. Canada created The Personal Information Protection and Electronic Documents Act (PIPEDA) very early compared to other countries. PIPEDA became law in 2000 to protect its citizens' rights from private organizations as the e-commerce industry was beginning.

Some of the other most common data security frameworks include:

• Health Insurance Portability and Accountability Act: HIPAA regulates the collection, protection, and sharing of patient information in the US.
• General Data Protection Regulation: This EU regulation applies to any company that manages personal data from EU citizens regardless of your business's location
• California Consumer Privacy Act: This law gives California consumers control over how for-profit businesses operating in California collect and use their personal information.

In this blog, we'll examine the Canadian law, PIPEDA, and its compliance requirements.

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian national standard for privacy and personal information security in the private sector. The Act outlines how private organizations collect, store, process, and disclose personal information.

Complying with PIPEDA protects individuals from the misuse of their personal information by private sector organizations for commercial activity. The Canadian government defines commercial activity as "any particular transaction, act, or conduct, or any regular course of conduct that is commercial, including the selling, bartering or leasing of donor, membership or other fundraising lists." PIPEDA gives the individual the right to challenge the accuracy of the information collected and forces private sector organizations to clearly state the reason for collecting said information. Additionally, if their purpose for collecting changes, said organizations must submit a new request to collect personal information for the new purpose.

PIPEDA defines personal data as any information that can be used to identify a person, including but not limited to age, name, income, credit records, medical records, and more. Here is the complete list of what PIPEDA defines as personal data.

In Canada, its provinces have individual privacy laws that the government considers to be "substantially similar"; therefore, they are exempt from PIPEDA. Any federally regulated organization in Canada must integrate PIPEDA compliance.

Why Do Companies Need to Implement Data Security Frameworks?

Data security frameworks allow companies to properly adopt and manage all the requirements that come with being compliant with standards like HIPAA, GDPR, or PIPEDA. Companies need to protect their customers' data, especially given the recent uptick in cybercrime, with many significant breaches making headlines. The recent Kaseya breach affected over 1,000 customers of the MSP. Kaseya's mistake could have been prevented by adhering to security best practices. Some of these frameworks highlighted above give companies guidelines for correctly adopting, implementing, and maintaining security best practices.

PIPEDA's 10 Fair Information Principles Checklist

Under PIPEDA, you must comply with the ten fair information principles. These ten principles give rights to individuals to control how the private sector handles their personal information. These principles govern how you collect, use and disclose personal information:

1. Accountability: In your organization, there must be a designated individual who is accountable for abiding by PIPEDA's ten principles.
2. Identifying Purposes: Before or during collection, your organization must identify the reason for collecting personal information.
3. Consent: Individuals must know why their personal information is being collected, used, or disclosed and must give their consent.
4. Limiting Collection: Personal information collected must be done fairly and lawfully and only in the scope of what your organization has shown they need for their purposes.
5. Limiting Use, Disclosure, and Retention: Personal information can only be collected and used for the purposes your organization expressed when said information was collected and no more. And must not be kept if those purposes have been served and are no longer necessary.
6. Accuracy: Personal information that your organization collects must be accurate and up to date.
7. Safeguards: Collected personal information must be secured and protected from loss, damage, or theft.
8. Openness: Your organization must make the policies and procedures by which they collect and manage personal information public and accessible.
9. Individual access: Owners of the personal information collected must be able to have access to their data, challenge the accuracy, or request their data to be updated with the correct information.
10. Challenging compliance: Individuals have the right to challenge your organization if they think you are not adhering to PIPEDA's ten fair information principles.

Consequences for Noncompliance

The Office of the Privacy Commissioner of Canada (OPC) conducts investigations into cases of PIPEDA non-compliance. If an individual or the commissioner files a complaint, an investigation process begins resulting in either an early resolution or a formal investigation. Depending on the formal investigation results, offenders could face significant fines of up to $100,000, public disclosure of offending parties, and enforcement from the government. You can read more here about the enforcement process for PIPEDA.

Ultimately, one of the most significant consequences of being non-compliant is that you are telling your customers and potential customers that you do not value their privacy. And if you are selling to enterprise customers, you have demonstrated that your business would not be a trustworthy vendor to hold their customer data. This could ruin your reputation and ability to close deals in the future.

How Carbide Can Help You Develop a Stronger Security Posture

To become PIPEDA compliant, you need to understand what your business's current security posture is. How resilient are you to attacks? Running penetration tests is a logical starting point in developing your security program because they provide the hacker's perspective of your defense.

The Carbide Platform lets you quickly implement and demonstrate your compliance with security standards like HIPAA, SOC 2, ISO 27001, GDPR, and more so you can close deals and win business from enterprise customers.