Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Posted July 4, 2017 in Security

What Does it Take to be Compliant in 2017?


Data privacy and security compliance is a tricky process to navigate. Chances are your organization is beholden to multiple regulatory bodies and data governance guidelines, regardless of what field you operate in or where you are located. True, there are industry-specific regulations such as the United States’ Health Insurance Portability and Accountability Act, but many compliance demands overlap industries and cross international borders.

Keeping up with all the constantly swirling changes in data privacy compliance requirements can sometimes feel like an exercise in futility. Don’t worry, we’re here to help. So, what does it take to be compliant in 2017? Let’s take a look:

Regulations at home continue to evolve

Before diving into the quagmire that is the international data privacy regulatory environment, let’s begin with the prevailing concerns developing here in Canada. One of the main sets of rules businesses should be watching is the Personal Information Protection and Electronic Documents Act, which outlines how private sector organizations gather, use, and disseminate personal information.

One thing to keep in mind with PIPEDA is that it is a combination of data management requirements punishable by fine and suggested guidelines to improve cyber security posture while safeguarding user data. While parsing through what’s obligatory and what’s merely encouraged may make sense if you’re strictly worried about dodging financial penalties, adhering to every PIPEDA principle is strongly recommended.

Adhering to every PIPEDA principle is strongly recommended.

Another key domestic regulation to keep an eye out for is 2015’s Data Privacy Act, which details what steps should be taken by a victimized organization following a data breach. Although it has yet to go into full effect, this legislation promises to drastically change how companies report a data breach and notify affected individuals.

As reported by the Ottawa Citizen, under the Data Privacy Act, breach victims would need to immediately report the incident to the Office of the Privacy Commissioner of Canada. The matter would then be left in the hands of the government to determine what level of public transparency is required. Violating this regulation could lead to fines as high as $100,000 per infraction.

There are also a multitude of provincial guidelines in place dictating data privacy responsibilities, so it’s always wise to check with your local government on what’s required.

Be mindful of international developments

Thanks to the ever-increasing digital world and e-commerce market, the lines between international consumers have become as blurred as ever. For many Canadian companies, adhering to those regulations that only affect organizations based in Canada is a recipe for disaster. The Payment Card Industry Data Security Standard, for instance, outlines how payment information is handled across the globe and is administered by an independent regulatory body.

The latest – and potentially most devastating – disruptor in international data compliance looms just on the horizon, though. The European Union’s General Data Protection Regulation will make some pretty radical changes to consumer data governance both in that corner of the world and abroad. Some of the more salient details include:

  • Companies must provide consumers access to their personal data upon request.
  • They must also completely erase that information from their system and network if the individual asks.
  • Data usage consent forms will be more concise and explicit and will do away with pre-checked opt-in boxes.
  • Penalties for violation will increase substantially, with fines going as high as 4 per cent of a company’s annual global turnover or approximately $30 million.

Perhaps the biggest development presented by GDPR is that all of these requirements will apply to organizations with access to European consumer data, regardless where they are located. Although GDPR won’t go into full effect until 2018, businesses across the globe are already scrambling to become compliant. Needless to say, this is one set of guidelines you want to keep an eye on.

There is, of course, much more that goes into data privacy compliance, but these are the major players to be aware of as the year rolls on. As always, top-down commitment to compliance is a key requirement to cultivating a company culture dedicated to data privacy and security best practices.