We recently celebrated the first Data Privacy Day since the European General Data Protection Regulation (GDPR) went into effect. Additionally, November 2018 marked the go-live date for new rules for data breach handling for companies operating in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA).
If you haven’t done so already, now is a great time to take a look at how you’re approaching customers’ data and privacy — and to ensure your business is taking a proactive, information-driven approach to privacy protection. For small businesses, in particular, reputation is everything, and a single breach could impact your entire business.
Changes to PIPEDA: What you need to know
While the data privacy law itself did not really change, there were two very important additions to the existing legislation that any company will need to be mindful of:
Breach notification: It is now mandatory that any breach deemed to have “Real Risk of Significant Harm” (RROSH) is reported as soon as feasible. This means there is no hard window within which notifications must be made. This flexibility was built in to allow companies time to work with law enforcement and to assess if the notification itself may add to the damage in the short term. That isn’t to say you can sit on it forever, as the Office of the Privacy Commission (OPC) will evaluate your overall incident response (and possibly add fines).
Obviously, the OPC needs to be notified, as do the individuals affected by the breach. Less obvious is the last group needing notification: “other” organizations. This could mean having to notify law enforcement, but it could also mean having to notify banks or credit companies depending on the data that was affected. This really drives home the need to have a proper Incident Response Plan in place to identify all the whos and whats. You can even be penalized for NOT having a plan or properly established security safeguards.
Record keeping: The other change will really cause some folks heartburn! Regardless of whether a breach or incident was deemed to have met the RROSH threshold, all breaches of any kind must now be properly recorded. Those records must be kept for a period of two years and be readily accessible to the OPC upon request.
Think about that for a second.
So what’s considered a breach? Any event in which the loss or theft, unauthorized access, disclosure, copying, use, modification or destruction of personal information (PII) constitutes a breach. That’s quite a broad spectrum of possible events. Accidentally delete a backup of your client database? That counts (destruction). Lose a laptop with client data on it? Totally counts (loss). Email a list of customers to another company? Yup (unauthorized copying/use).
Set your business up for successful compliance
So, how can you strengthen customers’ privacy to comply with regulations, and ensure you are ready to effectively identify and respond to any breach? Here are a few things to consider:
- Frequently review privacy settings for the various tools you use. Don’t take it for granted! Many applications reset their privacy configurations following an update, which may leave you exposed if you don’t go back and check on them.
- Be aware of what information you are giving away! Does that site really need a postal code or birth date for us to download its promised content?
- Are the companies you partner with just as diligent in their handling of data as you would be with your own? Do you trust those companies will respect the privacy of your clients as much as you do?
- Know where your data is and what it is – in your data center, in the cloud, at the edge… everywhere. Keep a detailed index of the data that you can reference, search and audit against.
- Take a good look at the processes you have in place. Make sure you have an Incident Response Plan, for example, so if an issue arises you are prepared in advance to take action.
- Don’t just focus on applications – unstructured data and laptops probably account for 70-80 percent of your data and will still contain large amounts of personal data.
- Investigate tools that can support these actions and initiatives. Commvault offers many solutions to ensure you are compliant, and that data remains safe.
Data has value. Your data, for example, can be sold for advertisers to target, hackers to compromise, or other third parties to use for research or perhaps less malign intents. The game has changed, and the time for us to question the players is now. Your data and your clients’ data has value and you should be sure you are treating it with the same care you would any precious cargo.
Matt Tyrer is the Ottawa-based Senior Manager, Solutions Marketing for the Americas for data protection leader Commvault. Matt is an IT industry veteran with nearly 20 years of experience, including the past 10 with Commvault. He has worked with teams from around the world to build and implement data management and protection solutions for customers of all sizes. A self-described geek, Matt understands the importance of Han shooting first, why being “shiny” is a good thing, that boxes are excellent camouflage, and why one should always be afraid when it’s Buffy’s birthday. Beyond this, he loves to travel (sometimes with his family), plays golf (poorly), tries to find time for the dusty PS4 (rarely does), and always finds time for his family.