Blog / Is Your Organization Ready for November 1st?
I find it’s always good to start off a Newsletter by asking a question. This helps focus peoples’ attention, as well as my own writing. It gives the Newsletter an immediate sense of direction. So, it’s time for today’s question:
“Is your organization ready for November 1st?”
Seems like an odd question. Well, let me explain why I’m asking.
Something that’s been floating around the news for the past few months has been the abbreviation GDPR. What this stands for is “General Data Protection Regulation.” It governs personal data and its’ protection within the European Union. It includes things like:
– Deadlines for Data Breach Disclosure
– Fine Levels
Overall they’re the strictest set of laws to impact an organization’s collection, retention and personal data protection to ever be enacted.
Some of you may remember the series of Newsletters I did about the EQUIFAX Data Breach. One of the items highlighted in them was the amount of time it took EQUIFAX to disclose the Breach (at the time, there were no requirements or repercussions for non-disclosure.) The GDPR imposes a timeline for this (and penalties.) I also mentioned that our own Legislation has a Placeholder Section for this sort of thing and that it was currently being “worked on” (since 2015.)
Thanks to EQUIFAX, this work has likely gained additional resources and priority. It has already been finished for quite some time, actually.
Well, the long wait is almost over: Canada will have additional rules and regulations coming into effect November 1st 2018 to be exact.
The Digital Privacy Act (DPA), which expands the Personal Information Protection and Electronic Documents Act (PIPEDA), now includes mandatory requirements when it comes to:
– Record Keeping
– Reporting to the Office of the Privacy Commissioner
– Notification of affected Individuals
These are Canadian Federal laws, so they impact ALL organizations in ALL of Canada’s Provinces and Territories, as well as ALL Foreign organizations operating in Canada, collecting information. This means anyone reading this Newsletter is likely subject to these new rules.
In case you are wondering, the decision for when these laws would come into effect happened back in March. This is not an in-depth look at these new regulations, but an overview to help Readers understand the basics of the new requirements.
First off, as an organization collecting personal information, you are obligated to safeguard it.
Its’ protection is your responsibility. You (as an organization) are expected to take “reasonable & appropriate” care to safeguard the data “according to how sensitive it is.” This isn’t new, but it’s worth highlighting when you talk about this topic.
This is pretty straightforward. The more sensitive the data, the tighter your Security around it is expected to be. Not all personal nature data needs to be guarded with the same level of protection. The thing to remember here is that if it’s reasonable, then you are obligated to apply whatever Security Measure that happens to be. What is “reasonable” is not strictly defined, so it’s best to err on the side of caution. Better to be considered over-protective, rather than not protective enough!
The First real change is in regard to Record-Keeping.
Previously, there was no official requirement to keep any sort of Records. Now, the rule is that ANY TIME there is a “Breach of Security Safeguards”, it MUST BE DOCUMENTED.
Now keep in mind that this is not necessarily the same thing as a Data Breach. This can include something as innocuous as an Employee allowing their child to use their company Smart Phone (which also contains sensitive information, depending on the organization.) In that case, let’s assume no Data Breach occurred, so there’s no need to inform the Privacy Commissioner’s Office. The incident MUST still be investigated and documented.
Breach Records MUST be maintained for 24 months after the date on which the company learned of the event (not the date when it happened.) What these reports contain is not strictly defined within the regulations. However, they must contain any relevant information that the Office of the Privacy Commissioner could use to establish compliance with the DPA. If you think this is too much of a hassle:
- Failure to provide these to the Office of the Privacy Commissioner upon request, is an Offense.
- Failure to keep such Records, is a Separate Offense.
The second change is in regard to the required response to “A Breach of Security Safeguards”
- In the event that there is no “real risk of significant harm”, the only action that needs to occur on the part of the organization is to document the event.
- In the event the organization concludes there is a “real risk of significant harm”, the outfit is required to notify the Privacy Commissioner’s Office at once.
- In the event that the organization concludes that there is a “real risk of significant harm”, the organization is required to notify the affected individual(s) ASAP. You also need to make sure that the warning is clear and includes possible steps they can take, in order to mitigate their risk.
There is no set deadline for how long a company has, in order to make a report or notify affected individuals or the Office of the Privacy Commissioner. The Legislation says these must be done “as soon as feasible.” This basically means that if the government finds that you dragged your feet on how quickly your organization took action, you can be held accountable. So make sure EVERYONE knows to treat a potential Breach situation as a Top Priority, and that you have a framework to undertake the investigation with.
How can they find out about this? Well, remember those records you have to keep and turn over if you get asked for them?
“Real risk of significant harm” is a statement the Legislation defines as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft (and so on.) It covers a wide range of possible damages that could result from a “Breach of Security Safeguards.”
This brings us back to my original question: “Is your organization ready for November 1st?”
If you have any questions about Government Privacy Regulations, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.