
What is Canada’s PIPEDA?
Canada has always been one of the pioneers of data protection. It enacted the PIPEDA in 2000 and strengthened it with a new privacy act in 2015, which the requirements inspired the GDPR and came into force in 2018. The law applies to Canadian organizations from the private sector uniquely, who collect, disclose or use customer’s personal information in the course of a commercial activity. Enterprises must obtain the consent from the individuals for the use or disclosure of their personal information, while customers have the right to access their data at any time. Due to the presence of other provincial privacy laws, PIPEDA does not apply to all organizations across Canada.
Organizations from a wide range of sectors such as travel, insurance, telco are all subject to the new law and can face severe punishment if they do not respect it. In fact, fines of up to $100k are applicable.
Requirements
Right of Access to Data:
Under PIPEDA, organizations are required, upon request, to inform the customers of the existence, disclosure, and use of their personal information and to give them access to this information as well as to a list of third-parties with whom some information has been shared.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Consent and Right to Opt Out
Under the new Canadian law, organizations are required to obtain customer’s consent for the collection, use and disclosure of their personal information. In order for the consent to be valid, customers must understand the nature and the purpose of the use of their personal information. At any time, customers are allowed to opt-out and withdraw their consent, subject to legal or contractual restrictions and reasonable notice. In case of a withdrawal, customers must be made aware of the implications it has.
How SecuPi Helps:
SecuPi’s ability to redact, hide, mask or block individual customers from consent-driven data-flows and processes are the cornerstone of its platform consent support. Using Dynamic Masking and redaction, SecuPi can enforce consumer requests to opt-out and disable access to data subjects where consent wasn’t given or where the consumer requested to restrict processing of personal data.
Breach Notification:
PIPEDA requires all organizations to report every single breach that involved customer’s personal information if they believe the breach can create a “real risk of significant harm”. Organizations must report the breach as quick as possible to the customers as well as to the relevant law enforcement agencies, if there’s a risk of harm for the individuals.
How SecuPi Helps:
In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).