Get ready for mandatory breach notification in Canada

Canada now has mandatory privacy breach legislation in place at the federal level. Effective November 1, 2018, companies subject to Canada’s privacy law, the Personal Information Protection and Electronic Documents Act, will be required to record and report breaches of security safeguards. The new breach rules may require changes to your breach management and privacy practices.

What’s changing

The breach of security safeguards regulation, introduced through the Digital Privacy Act, includes three main requirements:

Breach notification

Report to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals and third parties (who can mitigate harm) of a breach.

Record keeping

Retain records of all data breaches and share them with the OPC on demand.

Risk assessment

Determine if it’s a breach of security safeguards and whether it poses a real risk of significant harm.

Why prepare?

By establishing or enhancing your breach response plan and broader privacy program, you can:

Improve your competitive advantage by enhancing customer trust and loyalty, heightening privacy awareness across the company and achieving greater efficiency among the privacy, security, information technology and data governance functions

Reduce risk, as responding poorly to a breach may lead to increased regulatory scrutiny (such as an investigation, audit, review of the entire privacy program and sanctions), financial penalties (such as fines, lost shareholder value or lawsuits) and a reputational hit (through reduced customer trust, brand value and revenue)

Managing privacy and risk in a digital world

We sit down with Pamela Snively, Chief Data & Trust officer at TELUS, for expert insights on embracing innovation while protecting customer privacy.

Listen now

What can you do?

Mandatory breach regulation readiness assessment tool

Understand your current state of preparedness and how you compare to your peers. Get valuable insights into the work needed to get to your goal or demonstrate due diligence in your preparation efforts. The tool helps to:

  • Answer key questions: The tool features a comprehensive set of questions related to the breach of security safeguards regulations.

  • Assess breach response readiness: Responses are assessed according to regulatory requirements, practical experience and industry practice.

  • Understand maturity level: Each component of the assessment is linked to a maturity level in order to assess current operating state.

Establish your baseline

A breach program baseline includes:

  • risk assessments, data inventory and mapping and program development

  • examining incident and breach response policies, processes and procedures

  • breach response plans, including mock breach events

  • assessing insider threats

  • training and awareness programs

Respond effectively to a breach

What are the options to manage a breach?

  • Privacy as a Service (PraaS): outsourced privacy office support, breach response procedures, training and risk assessments

  • Security and privacy operations centre services: an integrated approach encompassing both cyber and regulatory responses to incidents

  • Cyber incident response services: incident response and threat detection, compromise discovery and ongoing support through reporting, analysis, notification and outcome


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

PwC has an experienced privacy team with global reach and proven tools and accelerators to help you get ready. Contact us to find out more.

​Jordan Prokopy

National Privacy Practice Leader, Toronto, PwC Canada

+1 416 869 2384


Follow PwC Canada