New Mandatory Breach Reporting Requirements under PIPEDA: Getting Prepared

Oct 31, 2018 | HR Compliance

On November 1, 2018 the new Personal Information Protection and Electronic Documents Act (PIPEDA) regulations come into effect. PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. If your operation is based in British Columbia (BC) and you only collect, use and disclose personal information in BC, you’re governed by the Personal Information Protection Act (PIPA) of BC. However, if you are a BC based operation but have any cross-provincial or cross-border activities, the new PIPEDA regulations will apply to your organization.


The new regulations were issued in the spring of 2018 where the Canadian government published its final regulations on mandatory reporting of privacy breaches under Canada’s federal data protection law. These new PIPEDA regulations come into effect November 1, 2018.


The New PIPEDA Requirements

Where it is reasonable to believe that the breach creates a real risk of significant harm to an individual, organizations subject to PIPEDA will be required to notify:

  • The Commissioner
  • The individual
  • Other organizations and/or government


Organizations must also keep records of ALL breaches even if it is deemed that the breach does not pose a significant threat/harm. Significant harm as defined in PIPEDA at a minimum includes:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment
  • Business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on the credit record and damage to or loss of property


Employer Responsibilities

Have a breach response plan in place. Some key areas to include in your plan:

  • Points of access
  • Information to collect and store
  • Where to house information and how to access it
  • IT infrastructure and plan
  • Incident response steps and procedures

Notify the Commissioner, individuals, other organizations and/or the government “as soon as feasible after the breach occurred”. From a legal and regulatory perspective, as soon as it is reasonably possible for you to identify what happened and determine whether there was significant harm, you must engage in the steps of notifying the Commissioner, individual and other organizations/government immediately.

Document management is crucial! You must maintain a record of every breach of security safeguards for 24 months.

Review your existing policies and ensure that it remains compliant with privacy laws/regulations.

Train your employees on data breach risks and reporting obligations under the new legislation and requirements.


Important PIPEDA Links

Breach of Security Safeguards Regulations:

PIPEDA Compliance Guidance and Tips:


The new PIPEDA regulations will impact businesses. Non-compliance of the new mandatory breach reporting regime can result in significant fines and penalties for failing to report. So adopt best practices to abide by the PIPEDA regulations and exercise your due diligence as an employer.


Disclaimer: Please be aware that information provided in this blog is subject to change. We recommend that you do not take any information held within as a definitive guide to the law or the relevant matter being discussed. You are advised to seek legal or professional advice where necessary. Due to the nature of the matters discussed in this blog, the information contained within it and any pages linked to/from it are clearly subject to change, without warning.



We’d love to help you build and strengthen your people practices! Contact us for your free consultation to learn more about what HR services and support we can offer your company –


Sofia Arisheh

We are here to help!

Receive HR insights right in your inbox.