Current Industry Headlines and Media

Canada’s Privacy Law and KYC to the Rescue

Canada’s Privacy Law and KYC to the Rescue

November 1st marked a significant day for privacy and Internet law. On this date, a Canadian law went into effect that will establish greater accountability and responsibility on the global stage. Companies with authority over Canadian citizens’ personal information will now be required to report to the Office of the Privacy Commissioner of Canada (“OPC”). Additionally, they will be required to notify individuals affected in the event of a “breach of security safeguards.

Canada’s Digital Privacy Act of 2015 set the tone for this action. Amending the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada added notification requirements to the security mix three years ago. The act defined a breach of security safeguards as “a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards.” Working out more of the nitty-gritty details, the government finally released written guidelines back in January. Now, the defined rules are in full effect and creating more transparency than ever before.

New Guidelines

Adding momentum to the regulation movement, the law will establish new boundaries that ultimately favor the safety and security of the public.

  • Organizations must maintain a record for 24 months following the event of any data breach, even if the breach does not pose significant harm.
  • The record must provide any relevant information that allows the Commissioner to assess compliance.
  • The organization must report to the OPC and contact affected individuals if a “real risk” of significant harm is determined. This includes damage to the body, reputation, relationships, employment, finances, property, and identity theft.
  • The organization must issue the report as soon as risk is determined.

Notification Requirements

The notified individual will now receive more information in order to make informed decisions with respect to his or her personal information. As such, a breach notification will include:

“A description of the circumstances of the branch.”

“The day on which, or period during which, the breach occurred or, if neither is known, the approximate period.”

“A description of the personal information that is the subject of the breach to the extent that the information is known.”

“A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach.”

“A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm.”

“Contact information that the affected individual can use to obtain further information about the breach.”

While a positive change, it’s back to the drawing board for organizations merely trying to keep up. And for American companies that thought they could escape GDPR, this may be quite the wake-up call. Those with a command on Canadians’ personal information will be especially challenged and will now be forced to confront new changes in the online space. One thing is certain, though. It’s time to be proactive and take actionable steps.

Following the events of Equifax, Sony, and countless other incidents, you’d think that the US would begin to follow suit with a national data security law. Maybe our friends up north will encourage new legislation in the U.S. But until then, a security ledger might just be the best way to avoid the problem in the first place through decentralization.

One of the leading targets of these fraudulent activities is centralized databases. Thanks to the blockchain, we may now transcend this flawed and archaic way of doing business. While data used to be centrally located and easy to access, we now have the opportunity to distribute encrypted blocks of information across networks, across thousands of different machines and chained together through cryptographic code. No longer is there just one target to hack, think of a forest, a needle in a haystack with each strand of hay a unique set of code.

And that’s just for starters. We now have an immutable record to keep the attacker from rewriting history with their own agenda. We also have KYC (Know Your Customer), a process for verifying customers’ identities with document scans to ensure that they truly are who they say they are. Adding another level of security to the blockchain, authenticated users obtain a string of encrypted numbers that is uniquely theirs. This is their private key, a personal signature for accessing their own currency and information. The key holder is the only person who can decrypt this information.

One of the leading targets of these fraudulent activities is centralized databases. Thanks to the blockchain, we may now transcend this flawed and archaic way of doing business.TWEET THISIn the wake of security vulnerability, the blockchain has the answers written and encrypted from within. With the help of a software-as-a-service (SaaS) based blockchain platform, companies may address these regulatory challenges as well with actionable steps and seamless automation. With the best in Regtech (regulatory technology), companies will be on the right track to compliance with the law and a future of greater truths.


Dan Gay, Chief Marketing Officer