Mandatory privacy breach notification is coming November 1 - Are you ready?

Posted: October 10, 2018 | Last Updated: October 10, 2018

Do you have November 1 circled in your calendar?

If your organization collects personal information for business purposes, then as of November 1, you will have a legal obligation to report privacy breaches that result in the unauthorized disclosure of, or access to, that personal information.  You will also be obligated to keep records of all privacy breaches that are suffered by your organization.

Failure to meet these obligations could result in fines of up to $100,000.00.

There are only a few weeks before mandatory privacy breach notification becomes the law in Canada.  But it's not too late to act, and we are here to help.  Some of the things your organization should consider include:

  • Find out if the law applies to you.  Only businesses which are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) need to follow these obligations.  If your organization is in the public sector, PIPEDA's breach reporting rules will not apply (but note that PIPEDA can apply to non-profits that are engaged in commercial activity).
  • When is it necessary to notify?  PIPEDA's reporting obligations are only triggered if the privacy breach is likely to create a "real risk of significant harm" to the affected person or persons.  We can help you determine what that means, on a case-by-case basis, and also more generally, by providing guidance that will help you ask the right questions to determine if the reporting threshold has been crossed, on a go-forward basis.
  • What do you need to say in your report, to whom, how and when?  PIPEDA contains detailed rules about the necessary form, content and manner of breach notification.  We can also help you understand who needs to be notified, once notification is required, and how to do it.
  • What kind of records do you need to keep?  Don't forget that you are required to keep a record of all privacy breaches, even those that do not result in a "real risk of significant harm" to the affected person or persons.  We can provide advice about what information should be kept by your organization, in order to satisfy PIPEDA's recordkeeping obligations.
  • Should I have a breach response plan, and what should it say?  We have advised many organizations about proactive measures to ensure they are ready to meet their breach notification obligations.  We would be pleased to do the same for you.


Are you ready for breach reporting?  Whether you're looking to fine tune your existing procedures, or if you're starting from scratch, we are here to help.  Please contact us, to learn more about your obligations and what you can do, to meet them:

Andrew Buck
[email protected]

Adam Herstein
[email protected]