What do the new Canadian data breach rules mean for your business?
Business owners owe it to their customers, investors, and partners to be transparent, even if that means admitting to a data breach. As of November 1, 2018, that idea became the law of the land in Canada as per the data breach notification legislation, which affects any organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
The new legislation requires organizations to publicly disclose data breaches to the Privacy Commissioner of Canada if they pose a real risk of significant harm to anyone. The law also requires businesses to keep detailed records of all breaches. Failure to comply can lead to fines of $100,000 per violation, which should be plenty of motivation for you to revisit your cybersecurity strategies.
Building a responsible workforce
You can implement all the technological, physical, and administrative cybersecurity measures in the world, but they’ll be for nought if you don’t have a responsible workforce. Keeping your employees accountable starts and ends with a robust training regime that covers cybersecurity best practices.
It should also include the roles and responsibilities your staff must follow in the event of a data breach. PIPEDA requires, for example, that every company has a privacy officer, who will be responsible for handling security or privacy issues.
Creating a breach response plan
Breach response plans should cover every measure you’ll take to protect your business, mitigate the effects of any threats that make it through to your network, and alert the necessary authorities and stakeholders should a breach happen.
At a minimum, your breach response plan identifies the individuals who will have a role in handling data security or privacy breaches. There also needs to be a clear outline of the process used to mitigate the damage to your organization and how any third parties, such as digital forensic experts and legal personnel might be involved.
Finally, you’ll want to review and revise your plan at least once per year, or whenever you make any major changes to your company’s organization, technology, or human resources processes.
Vetting your technology partners
Nowadays, businesses frequently outsource their computing infrastructures to third-party vendors. It’s a great way to cut costs and reduce dependence on in-house resources, but it’s important to remember that the buck stops with you when it comes to the security of your data.
Vetting your technology partners, be they managed services providers, cybersecurity consultants, software developers, or anyone else who handles your data, is crucial for staying on the right side of the law. It’s why Dyrand Systems is upfront about its best practices and achievements and starts every new partnership with a free assessment. In other words, you shouldn’t even consider working with a technology provider that isn’t intimately acquainted with PIPEDA.
Knowing where your data resides
Many companies still don’t have a solid understanding of how much personal information they collect from clients or where it comes from. This often stems from the fact that most small businesses today combine in-house storage systems with cloud-hosted services. In other words, the underlying infrastructure is more diverse and spread out than ever, and people often aren’t sure of who’s responsible for what.
Today’s business leaders need to address how, where, and when they collect private data from potential or existing customers. Then, they need to know exactly where that data resides and which systems are in place to protect it. This process is known as data governance, and it’s all about clearing up your data storage systems and gaining visibility into your data.
Providing CIO-level expertise and cutting-edge technology to all its clients, Dyrand is here to help businesses in Vancouver, Richmond, and Burnaby with IT that you can depend on. Call us today to arrange your free assessment.