Cyber security and data privacy protection concept with icon of a shield and lock over binary digits background

Being privacy compliant may involve more than just complying with PIPEDA or whatever other privacy legislation applies to a particular business or organization. Keep in mind that privacy and security are not the same thing – but they are intertwined.

For example:

  • OSFI – the entity that governs Canadian federally regulated financial institutions – recently issued an advisory requiring the reporting of cyber security incidents to OSFI – within 72 hours. This is on top of their existing cybersecurity self-assessment guidelines.
  • Customers may require compliance with standards such as ISO 27001, or SOC 2.
  • A business may choose to comply with such standards for promotional purposes.
  • A business doing business with or targeting people in Europe may have to comply with the GDPR.
  • A business may make promises in their privacy policy beyond those otherwise required.
  • Directors and officers may be subject to any number of standards of care expressed by various agencies.
  • Privacy torts are now limited in scope, but may eventually morph into substantive requirements.

The bottom line is that each business and organization must reflect on what legal, practical, and business issues they need to consider for privacy and security. 


Connect with David Canton on Twitter and LinkedIn.

rssrss feed