Since 2000, The Personal Information Protection and Electronic Documents Act (PIPEDA) has governed the collection of Canadians’ consumer personal information. If a company knowingly violates the legislation, it can face fines of up to $100,000 per violation. Though the Act has successfully held hundreds of organizations responsible for data breaches and illegal disclosures over the past two decades, it now faces criticism for not providing enough discouragement to disclosure in today’s digital age.
An updated Digital Charter Implementation Act, 2020 (DCIA or the "Act"), intended to replace PIPEDA, was tabled at the House of Commons under the name Bill C-11 on November 17, 2020. The refreshed bill is said to, “Further balance privacy interests with the recognition that data are fuel for Canadian competitiveness and innovation.”
What the Digital Charter Implementation Act could mean for Canadians
If passed, Bill C-11, currently in first reading, would represent a significant change in the privacy and data risk management landscape in Canada. The Act creates a similar scheme penalty-wise to the European Union’s General Data Protection Regulation in that it imposes significant financial penalties for violation of the Act. With the DCIA, companies could face fines of up to five per cent of global revenue or $25 million — whichever is greater. Such penalties create new business risk for Canadian corporations and those that do business in Canada.
Potential concerns about the Digital Charter Implementation Act
From a data management perspective, the Act creates new obligations that pose risks to corporations. One requirement, which I find to be a significant challenge, is that a corporation must delete all of the personal information held by that corporation if an individual requests such deletion. Of course, being able to delete the data requires that the corporation knows where all of its clients’ personal information is stored. Many companies have multiple locations to store this information; some of those locations may be centralized as part of a customer management system, but some may not be. Proper data management through mapping and tracking of information is going to become essential to risk mitigation and management.
How Canadian organizations can prepare for the Digital Charter Implementation Act
For Canadian corporations and those that do businesses here, the potential implementation of the DCIA brings to light the data management, identification and deletion concerns that already exist in the European Union. While it may take several years for the final form of the DCIA to be negotiated and passed, creating a new data infrastructure and information policy within your organization can take considerable time. The passage of Bill C-11, or something like it, is not a matter of “if” but “when.” If you are waiting to sort out your compliance until this Bill is passed, you will be too late.
Data management and mapping is not part of many corporations’ information governance roadmaps. A proper plan can help build an information management strategy that takes into account the requirements of the new Act, as well as technologies that can make the identification process simpler and cost-effective.
It can be difficult knowing where to start when reviewing years’ worth of data which makes unpacking it an especially daunting task. To learn more about data mapping and clean up, be sure to check out our free Data Mapping: Building the Bedrock eBook. Have questions? Get in touch with us today.
Try out our Complimentary Content Assessment
Typically, 70 per cent of data in corporations is found to hold no business value. Legal and eDiscovery efforts can be greatly reduced during litigation events when content that is past its regulatory or business use life is disposed of properly. Take advantage of our Complimentary Content Assessment below to take the first step towards achieving data governance and compliance in your organization.