Ever since the COVID pandemic, business has become more digital. Now, going digital is no longer an option — it is a necessity in Canada.
Many small and medium businesses now use online platforms for their business operations, but there is a rising problem in the form of cyber threats. These threats range from data breaches to ransomware attacks, with varying levels of potential damage to businesses.
Laws have been enacted to combat these risks and protect SMEs and their customers in Canada. An example is the Digital Privacy Act of 2018, and in this article, we will be exploring what this act means for the cyber-protection of small and medium enterprises in Canada.
A look at the Digital Privacy Act (2018)
The 2018 enactment of the Digital Privacy Act caused some changes to how companies deal with consumer data and possible breaches. As an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Digital Privacy Act signifies three things for SMEs:
- Reporting harmful data breaches to the privacy commissioner and every affected party, especially customers, became mandatory.
- Penalties and legal action in the case of non-compliance with the rules of reporting breaches.
- All breaches must be recorded in line with set record-keeping criteria.
What has changed since the enactment of the Digital Privacy Act
Bill C-11, an act to protect customers’ privacy, created the Consumer Privacy Protection Act. Although it has yet to be signed into law, it appears to overtake the provisions of the PIPEDA. One of the perks of the CPPA, if passed, is that users will have more control over their data — which means customers can request access to their personal information on a company’s database, make corrections, or totally delete it.
In addition to this, the bill also stipulates substantial fines for cases of non-compliance, which could reach 5% of global revenue or $25 million for the heinous offenses. Businesses must also be transparent during data collection, storage, and usage — consent requests have to be clear and simple for customers to understand.
It is also worth noting that provinces such as Quebec and British Columbia have additional privacy laws guiding the private sector, including casinos providing Ontario slots, which have been part of Canadian culture for centuries.
Why does the Digital Privacy Act (2018) matter to SMEs
The demands of Canada’s legislation on SMEs handling customer information can be overwhelming for many small and medium businesses. While larger corporations may have the adequate budget, manpower, and technological resources to keep up, SMEs may struggle to keep up in a few ways.
Challenges may arise from the place of awareness, as not many SMEs are up to date with the country’s changing cybersecurity policies. Also, hiring highly trained cybersecurity personnel may cost a fortune, and for an SME, it may not be a feasible option. Thirdly, most SMEs use third-party services for data hosting, some of which may not comply with prevailing data policies.
To alleviate these challenges, SMEs can take advantage of the CyberSecure Canada Certification, which helps SMEs identify potential risks and implement basic cybersecurity measures, as well as obtain a badge of trust to encourage clients, customers, and partners’ trust.
If the SME opts to gain more robust cybersecurity through improved funding, they can utilize programs like the Industrial Research Assistance Program (IRAP) or the CanExport SMEs program. These programs can help SMEs go global and as well provide funds to cater to cybersecurity needs.
What to do as an SME?
- Audit data practices: Go through the data collection process to ensure you clearly state why you collect the customer’s information. This is to avoid consent-related litigations. Also, go through the cloud storage systems to ensure protection.
- Train staff on cyber safety: Cyber protection is for everyone at the company and should not be left for only the cybersecurity personnel.
- Stay informed about changes in legislation: Keep tabs on changing regulations to avoid fines and reputation damage.
In conclusion
The advent of the Digital Privacy Act of 2018 inspired several legislations concerning how businesses collect and handle customer data. These regulations meant tighter rules and stricter penalties for non-compliance. However, these regulations may create more costs and operational responsibilities for SMEs in Canada, such as being more careful with customer data, third-party tools that interact with customer data, and automated response tools.
