April 20, 2018

Canadian data breach notification regulations finalized

The Canadian government has released the final version of its Breach of Security Safeguards Regulations, which will come into force on November 1, 2018. We now have a final picture of privacy breach notification requirements that will be applicable to the private sector in most Canadian provinces as of that date.

Non-compliant organizations will face fines up to $100,000.

An organization that experiences a privacy breach – called a “breach of security safeguards” in the regulations – will have to first determine, through a risk assessment, if it poses a “real risk of significant harm” to any individual whose information was involved in the incident.

If the organization concludes that a breach does indeed pose such a risk, it must notify affected individuals and report the breach to the Privacy Commissioner of Canada “as soon as feasible.” It should also notify any third party organizations that may help mitigate harm to those people.

What to report

The report must contain information about:

  • the circumstances of the breach and, if known, the cause;
  • when it happened, and for how long;
  • what kind of personal information was breached, to the extent it is known;
  • how many individuals were affected by the breach or at least an approximation of that number;
  • what the organization has done to reduce the risk of harm to affected individuals or to mitigate that harm;
  • what the organization has done or intends to do to notify affected individuals of the breach; and
  • who to contact in the organization, for any questions the Commissioner may have about the breach.

Given  that new information can come to light throughout a breach investigation after the initial report to the Commissioner, the final version of the regulations allow organizations to report certain information to the extent that it is available at the time of reporting.  Organizations can later update the report if necessary.


A notification to affected individuals must contain information about:

  • the circumstances of the breach
  • when it happened, and for how long
  • what kind of personal information was breached
  • what has been done to reduce any risk of harm to affected individuals
  • what the affected individuals can do on their end to reduce that risk or further mitigate any harm, and
  • who to contact to for further information about the breach.

Record-keeping requirements

Organizations must maintain a record of every breach of security safeguards they become aware of — no matter the size.  They must provide it to the Privacy Commissioner upon request.  The regulations specify that organizations must maintain a data breach record for at least 24 months from the date that it determined the breach happened.


Non-compliant organizations will face fines up to $100,000, depending on the nature of the offence.

Finally, Canadian businesses that handle personal information on EU residents will have to be mindful of new EU rules under the General Data Protection Regulation (GDPR), which include even tougher data breach notification requirements. Under the GDPR, which comes into force on May 25, 2018, notification to a national data protection regulator must take place no later than 72 hours after an organization has become aware of the incident, if feasible.  This is likely to pose a significant challenge to Canadian businesses that offer goods or services to EU residents and monitor their online habits.