Data Leaks, Digital Privacy Act & Your Small Business

data leaks in small business cover image


There have been significant changes to Canada’s Digital Privacy Act, which are being enforced as of Nov 1, 2018, yet many small business owners are not informed on their responsibility in managing customer information – and certainly not prepared to prevent data leaks, breaches and intrusions.

PIPEDA broadly defines “personal information” as “information about an identifiable individual.” It can be a clients age, financial information or a driver’s license copy you took for an application. In this post we will cover the computer security and network security processes that help you reduce the risk of data leaks and comply with the Digital Privacy Act, PIPEDA and data management best practices.

Whether your business processes mortgage applications, offers payroll and book keeping services, health services or any type of business where you collect any personal identifying information about your clients, you need to review your processes and systems to ensure you are taking reasonable efforts to protect that data. If you have specific IT compliance services requirements, our Toronto team can help you.

Data Leaks That Must Be Reported

Reporting is up to you. It’s solely in your hands. The Office of the Privacy Commissioner of Canada has listed some examples of personal information that may include (but is not limited to):

  • Race, national or ethnic origin
  • Religion
  • Age, marital status
  • Medical, education or employment history
  • Financial information
  • DNA
  • Social insurance number or driver’s license.

The new Digital Privacy Act serves as an amendment to PIPEDA and creates new requirements for businesses to follow.

  1. All organizations must maintain records of all data breaches.
  2. Any breach that poses “significant harm” to any person whose data has been exposed must be reported to the Privacy Commissioner of Canada.
  3. Any breach that poses “significant harm” to any person must be disclosed to the affected person.

“Significant harm” is a term used throughout PIPEDA and is defined broadly to include bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property.

The most common forms of significant harm resulting from most small business breaches are negative effects on the credit record, financial loss and identity theft.

It’s important to rethink your data security practices and hire professional guidance to help you improve your email, data storage and IT systems.

A data breach can stem from:

  • Paper documents being lost
  • An email account being hacked
  • A lost laptop or backup drive
  • An email containing sensitive information being sent to the wrong person
  • A ransomware attack
  • A network breach

If a data breach causing significant harm occurs, the report to the Privacy Commissioner must be made as soon as the breach is discovered, even if all the details of the breach are not yet known. The report must meet certain reporting requirements which include but are not limited to:

  • The date of the breach
  • The nature of the breach
  • The nature of the information exposed
  • How many people are affected
  • And more

Full details can be found at

Steps To Protect Your Small Business From Data Leaks

Train your employees. Human error is a major contributor to data leaks and network breaches. Training should cover everything from taking extra care when working with sensitive information, what is appropriate to email without encryption, and what should be sent via secure platforms such as encrypted email or ShareFile, as well as phishing awareness.

Create a formal policy for storing and sharing customer information. Be sure all new employees receive this training. Review the importance of sensitive data handling at quarterly or annual team meetings to prevent complacency.

Create a data breach response protocol. Be sure your team has the correct information for responding to a data breach in the event one occurs.

Consider your insurance coverage needs and legal needs that may protect your privilege in the event of a network breach.

Update your data storage and sharing tools and protocols. Use secure, business grade tools and services. Speak with an IT Consultant for professional guidance.

Update your network security and internal data security processes. Many breach are created with help from a company insider. Limit your risk with stringent network and data security policies.

Data Security Solutions in Toronto: Business owners seeking data and cyber security services to limit risk from employee sabotage, external threats or accidental data loss, call TUCU. We will work with you to upgrade your security IT policies to better protect your business.

Related Posts

Ready to make some changes?

Speak to our Toronto IT Consultants for options & an estimate.

Book A Call


More Posts

Free Consultation

Get IT Solutions for your business.