Being privacy compliant may involve more than just complying with PIPEDA or whatever other privacy legislation applies to a particular business or organization. Keep in mind that privacy and security are not the same thing – but they are intertwined.
- OSFI – the entity that governs Canadian federally regulated financial institutions – recently issued an advisory requiring the reporting of cyber security incidents to OSFI – within 72 hours. This is on top of their existing cybersecurity self-assessment guidelines.
- Customers may require compliance with standards such as ISO 27001, or SOC 2.
- A business may choose to comply with such standards for promotional purposes.
- A business doing business with or targeting people in Europe may have to comply with the GDPR.
- Directors and officers may be subject to any number of standards of care expressed by various agencies.
- Privacy torts are now limited in scope, but may eventually morph into substantive requirements.
The bottom line is that each business and organization must reflect on what legal, practical, and business issues they need to consider for privacy and security.