PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?

The landscape of global data breach laws has been marked by continuous change in recent years. One of the most significant this year was the coming into force of the EU General Data Protection Regulation (GDPR). Described by ICO Commissioner Elizabeth Denham as “the biggest change to data protection law in a generation,” the GDPR has certainly made an impact.

Enter the new mandatory breach notification and recordkeeping requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA). These new requirements, effective November 1, 2018, are an example of the impact of the GDPR on international data breach notification requirements. As noted in the Regulatory Impact Analysis Statement provided by the Government of Canada along with the final Breach of Security Safeguards Regulations, “Many respondents cited the need to align the Regulations more closely with those of the breach reporting requirements of the GDPR given that many Canadian organizations must comply with both Canadian and European law. The final Regulations were drafted with a view to harmonizing the requirements to the extent possible.”

The key to compliance with breach notification and recordkeeping requirements under the GDPR and PIPEDA is knowing where they are similar and where they are different. The same goes if you are regulated by U.S. breach notification laws: how are those breach notification and recordkeeping obligations similar to or different than the GDPR and PIPEDA? Here are a few comparisons:

Definition of Personal Data and Regulated Forms

U.S. State and Federal Regulations GDPR PIPEDA
Under U.S. law, personal information is generally defined as an individual’s name in combination with a set of specified data elements such as a Social Security number. Personal data under the GDPR has a broad definition, meaning information in any form relating to an identified or identifiable individual, with particular sensitivity to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation. Similar to the GDPR, PIPEDA has defined personal information very broadly, meaning information in any form about an identifiable individual. Also similar to the GDPR, personal information can mean information about an individual’s race, national or ethnic origin, religion, age, marital status, medical, education or employment history, financial information, or views or opinions about the individual as an employee.

Notification Timeframes

U.S. State and Federal Regulations GDPR PIPEDA
Generally, notification is required in the most expeditious manner possible, without unreasonable delay. In recent years, the trend is toward a more specific timeline, typically 30–45 days from breach discovery. For supervisory authorities, notice is required “without undue delay and, where feasible, not later than 72 hours.” For data subjects, notice is required “without undue delay.” Notification of individuals affected by the breach should occur “as soon as feasible after determining that a breach has occurred.”

Risk of Harm Standard

U.S. State and Federal Regulations GDPR PIPEDA
When specified in U.S. law, risk of harm is typically defined as risk of financial harm or identity theft. Unlike the focus on financial harm under U.S. law, the GDPR standard for notification to supervisory authorities is a breach that is likely to result in a risk to the rights and freedoms of affected individuals. The standard for notification to affected individuals is a breach that is likely to result in a high risk to the individuals’ rights and freedoms. PIPEDA harmonizes with the GDPR in that the consideration of harm goes beyond financial harm. Under PIPEDA, notification to the Privacy Commissioner and affected individuals is required when a breach creates a real risk of significant harm to an individual, including considerations for bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, and identity theft.

Guide PIPEDA GDPR US

When it comes to the risk of harm standard for each regulation, it’s important to note that U.S. law, the GDPR, and PIPEDA all require a multi-factor risk assessment to determine whether notification is required to affected individuals and others, taking into consideration the nuances in each law’s standard of harm.

Interested in further comparison? Download the at-a-glance comparison guide for more definitions and requirements under PIPEDA, the GDPR, and U.S. state and federal data breach statutes.

Automation to Simplify Compliance with PIPEDA and Global Data Breach Notification Regulations

RDR-_Illustrations_pipeda

RADAR is the only platform that provides automated multi-factor risk assessments and decision support guidance for global data breach notification laws – now including PIPEDA. With its patented, proven multi-factor incident risk assessment engine, RADAR eliminates the subjectivity and inconsistency that is inherent in manual incident response approaches.

Contact us if you would like a demonstration of how our regulatory workflow takes into account the nuances of compliance with PIPEDA’s mandatory breach notification and recordkeeping requirements.