Starting Nov 1 2018 PIPEDA requires businesses to notify the Privacy Commissioner and affected individuals of any privacy breach that poses “a real risk of significant harm”.
It also requires businesses to keep a record of all breaches of security safeguards that involve personal information, even if there is no risk of harm. It must include details of why a breach does not pass the reporting threshold.
So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.
The Commissioner can ask to see that breach record at any time. Failure to comply . . . [more]