This article was provided by Carbide, a Software Secured partner. Carbide specializes in ensuring compliance with PIPEDA, HIPPA, SOC II and more.
Many countries have enacted data privacy laws to govern how organizations collect, handle, store, and transmit certain types of data. Canada created The Personal Information Protection and Electronic Documents Act (PIPEDA) very early compared to other countries. PIPEDA became law in 2000 to protect its citizens' rights from private organizations as the e-commerce industry was beginning.
Some of the other most common data security frameworks include:
In this blog, we'll examine the Canadian law, PIPEDA, and its compliance requirements.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian national standard for privacy and personal information security in the private sector. The Act outlines how private organizations collect, store, process, and disclose personal information.
Complying with PIPEDA protects individuals from the misuse of their personal information by private sector organizations for commercial activity. The Canadian government defines commercial activity as "any particular transaction, act, or conduct, or any regular course of conduct that is commercial, including the selling, bartering or leasing of donor, membership or other fundraising lists." PIPEDA gives the individual the right to challenge the accuracy of the information collected and forces private sector organizations to clearly state the reason for collecting said information. Additionally, if their purpose for collecting changes, said organizations must submit a new request to collect personal information for the new purpose.
PIPEDA defines personal data as any information that can be used to identify a person, including but not limited to age, name, income, credit records, medical records, and more. Here is the complete list of what PIPEDA defines as personal data.
In Canada, its provinces have individual privacy laws that the government considers to be "substantially similar"; therefore, they are exempt from PIPEDA. Any federally regulated organization in Canada must integrate PIPEDA compliance.
Data security frameworks allow companies to properly adopt and manage all the requirements that come with being compliant with standards like HIPAA, GDPR, or PIPEDA. Companies need to protect their customers' data, especially given the recent uptick in cybercrime, with many significant breaches making headlines. The recent Kaseya breach affected over 1,000 customers of the MSP. Kaseya's mistake could have been prevented by adhering to security best practices. Some of these frameworks highlighted above give companies guidelines for correctly adopting, implementing, and maintaining security best practices.
Under PIPEDA, you must comply with the ten fair information principles. These ten principles give rights to individuals to control how the private sector handles their personal information. These principles govern how you collect, use and disclose personal information:
The Office of the Privacy Commissioner of Canada (OPC) conducts investigations into cases of PIPEDA non-compliance. If an individual or the commissioner files a complaint, an investigation process begins resulting in either an early resolution or a formal investigation. Depending on the formal investigation results, offenders could face significant fines of up to $100,000, public disclosure of offending parties, and enforcement from the government. You can read more here about the enforcement process for PIPEDA.
Ultimately, one of the most significant consequences of being non-compliant is that you are telling your customers and potential customers that you do not value their privacy. And if you are selling to enterprise customers, you have demonstrated that your business would not be a trustworthy vendor to hold their customer data. This could ruin your reputation and ability to close deals in the future.
To become PIPEDA compliant, you need to understand what your business's current security posture is. How resilient are you to attacks? Running penetration tests is a logical starting point in developing your security program because they provide the hacker's perspective of your defense.
The Carbide Platform lets you quickly implement and demonstrate your compliance with security standards like HIPAA, SOC 2, ISO 27001, GDPR, and more so you can close deals and win business from enterprise customers.