Starting November 1, 2018 PIPEDA requires businesses to notify the Privacy Commissioner and affected individuals of any privacy breach that poses “a real risk of significant harm”.
It also requires businesses to keep a record of all breaches of security safeguards that involve personal information, even if there is no risk of harm. It must include details of why a breach does not pass the reporting threshold.
So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.
The Commissioner can ask to see that breach record at any time. Failure to comply with the recording and notification requirements can result in a penalty of up to $100,000.
From a practical perspective, it means that there must be awareness by staff about what a breach of security safeguards is, and who to tell about it. It can’t be based only on complaints.
This chart (PDF download) is an overview of the process. Be sure to follow the detailed definitions and requirements in PIPEDA.