Regulatory changes to Canada’s data protection and privacy laws will require businesses to comply with legislation governing how they handle Canadians’ personal information.

The Personal Information Protection and Electronic Documents Act (PIPEDA) has been rolled out in stages since 2001, though the most recent provisions have spurred businesses in the country to act in accordance with the law.

When the new regulations take effect this year, businesses will be required to notify both the individual and the Office of the Privacy Commissioner (OPC) when there's a breach. This represents a significant change in terms of compliance obligations, with the added caveat that it can alter the perception of companies who have been breached, says Scott Smith, Director of Intellectual Property and Policy Innovation at the Canadian Chamber of Commerce.

“It’s going to be more prevalent in the media once those regulations are in place,” says Smith. “It’s incumbent on companies who are handling personal information to be more diligent about their cybersecurity and internal privacy practices. We're not just talking about electronic breaches, but rather anything that happens within a given business environment.”

Smith says the legislation’s intent is to determine whether a breach is material in nature— meaning it could cause significant harm. Up to this point, companies have made that determination unilaterally.

Personal data awareness

At the same time, the European Union’s new General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, and will require businesses operating in its member states to comply with new personal data privacy and protection rules.

PIPEDA and GDPR are not harmonized, so Canadian enterprises shouldn’t assume complying with one is equal to the other, Smith notes. It also brings up one aspect he believes may be overlooked, which is the idea of personal information stripped of personally identifiable details.

“This is generally the case for a lot of high-tech companies that are using big data to generate new algorithms protecting behaviours,” he says. “Similar to the apps you use, they look at the behaviour of a large group of people that are doing specific things, and how they can target a product to that individual that fits the profile.”

GDPR is more stringent in that, online, it affords individuals “the right to be forgotten”, which effectively allows them to have their personal information erased when and where it’s no longer necessary to a company’s original purpose for collecting it.

It’s less clear with PIPEDA, and so, any business operating in both jurisdictions may face difficulty in staying on top of both regulatory regimes.

Seeing the cloud

Enterprises looking to the cloud for providers who can navigate the new rules on both sides of the Atlantic may find willing takers. Cybersecurity and software firms have anticipated the upcoming changes.

“The GDPR requires that organizations respect and protect personal data – no matter where it is sent, processed or stored,” say Brendon Lynch, Chief Privacy Officer at Microsoft.

Lynch says it will take time, tools, processes and expertise for businesses to comply with the GPPR, and to do this organizations will need to make changes to their privacy and data management practices. But, he says, cloud technology can help businesses meet their GDPR obligations for areas including deletion, rectification, transfer of, access to and objection to processing of personal data.

“Complying with the GDPR will not be easy,” Lynch says, “but moving your organization’s data to the cloud will help simplify and accelerate the path to GDPR compliance. In addition, with data now being such a critical asset, businesses should see moving to the cloud as an investment that will help create more agility and support innovation across their organizations.”