The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to virtually every Canadian small business. Most SMBs are not fully compliant — and most do not know it until after a breach.
Check your PIPEDA compliance freeDesignate a privacy officer responsible for compliance. This can be the business owner in a small business.
Identify why you are collecting personal information before or at the time of collection.
Obtain meaningful consent before collecting, using, or disclosing personal information.
Collect only the information necessary for the identified purposes.
Use personal information only for the purposes for which it was collected.
Keep personal information as accurate, complete, and up to date as necessary.
Protect personal information with security safeguards appropriate to the sensitivity of the information.
Make your privacy policies and practices readily available — typically through a published privacy policy.
Upon request, inform individuals about the existence, use, and disclosure of their personal information.
Allow individuals to challenge your compliance with PIPEDA through a designated privacy officer.
What you must do within 72 hours of discovering a breach
Determine what data was affected, who is impacted, and whether there is a real risk of significant harm to individuals.
Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible. Include what happened, what data was involved, and what steps you are taking.
Notify individuals whose personal information was involved if there is a real risk of significant harm. Include what happened and what they can do to protect themselves.
Guardlyne's Canadian Compliance assessment module evaluates your business against all 10 PIPEDA principles — and shows you exactly what is missing.