Canada breach notification laws align with GDPR

08 December 2017

The personal details of thousands of Canadians were affected by the mega data breach at credit monitoring firm Equifax earlier this year, while the 2015 data breach at Toronto-based dating firm
Ashley Madison exposed sensitive data about its 36 million users.

The way in which companies handle such breaches in the future is about to change quite radically. Canada recently announced it is to implement mandatory breach notification requirements, bringing its data protection regime more in line with the US and Europe.


Some 48 states in the US have laws requiring companies to notify regulators and individuals of a data breach. From May 2018, the EU will also introduce data breach notification requirements under the General Data Protection Regulation (GDPR). Other countries are now following suit, with Australia set to apply notification requirements in 2018, and now Canada.

In September Canada published its proposed Breach of Security Safeguards Regulations, which gives effect to mandatory reporting requirements under the country’s existing data protection laws, the Personal Information Protection and Electronic Documents Act (PIPEDA). Final regulations are expected to be published soon, and the data breach notification requirement will then come into force after a short implementation period.


Under the new regulation, an organisation will need to conduct a risk assessment to determine if a breach and the subsequent “loss of, unauthorised access to, or disclosure of personal information” pose a “real risk of significant harm” to any individual. The assessment must consider the sensitivity of the information involved, and the probability that the information will be misused.

If a data breach is thought to result in a real risk of significant harm, the organisation must report it to the Privacy Commissioner of Canada “as soon as feasible”. The regulations also require organisations to notify affected individuals and any other organisation that may be able to mitigate harm to those individuals. The new rules would also require organisations to maintain a data breach record for at least two years to demonstrate that they are tracking data security incidents that result in a breach of personal information.


Compliance with the new data breach obligations is likely to be challenging, and will require organisations to have appropriate processes in place to assess and respond to a breach of personal data. However, a recent survey from the Canadian Securities Administrators (CSA) suggests many firms still have much work to do in this regard.

The CSA cyber security survey published in October found that more than half (51%) of Canadian firms experienced a cyber security incident in 2016. However, only 57% of firms surveyed have cyber security incident policies and procedures and only 56% have cyber security training. Some 14% of firms indicated that they do not conduct a cyber risk assessment, and while most firms have an incident response plan, a quarter have not yet tested them. When it comes to insurance, 59% of Canadian organisations surveyed by CSA do not purchase specific cyber security insurance. Of those firms that do buy cyber insurance, the types of incidents and amounts that these policies cover vary widely, the CSA says.

The CSA recommends that firms review existing insurance policies to identify which types of cyber security incidents are covered. And for areas not covered by existing policies, firms should consider whether additional insurance should be obtained.


Interestingly, Canada appears to have considered the GDPR when drafting the new data breach notification rules. The mandatory data breach reporting requirements, the information that needs
to be included in reports to authorities and to individuals, and the requirement to keep a record of all data breaches, are all in line with requirements set out in the GDPR.

In a regulatory impact assessment, the Canadian government said that the alignment with the GDPR was important to Canada–EU trade. It also recognised the need to mitigate compliance costs for
Canadian companies, many of which are also required to comply with international data protection laws.

“PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the European Union to Canadian organisations,” the impact assessment says.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on