achieve PIPEDA compliance

The Office of the Privacy Commissioner of Canada (OPC) strengthened its policy regarding PIPEDA, with an amendment that went into effect November 1, 2018, requiring mandatory reporting for breaches and updated recordkeeping requirements.

Are you in compliance with PIPEDA?

Would you know how to report a data breach – or be able to detect one should such a breach occur?

PIPEDA compliance should be part of every business plan.

What Is PIPEDA Compliance?

PIPEDA is Canada’s Personal Information Protection and Electronic Documents Act, requiring providers to alert the OPC and all affected Canadian consumers when there is a data breach.

Data security compliance is taken very seriously in Canada, yet many businesses have failed to implement the necessary policy changes, due to a lack of technology to effectively track them.

How Do You Comply with PIPEDA?

When the personal information of a dental or medical patient is compromised by a data security breach, the provider may face fines. However, fines are not the only factor businesses should be considering. Clients, potential partners, and consumers all desire proper data protection. By neglecting compliance, Canadian businesses are putting their own success at risk.

To remain compliant, you must have the right software. This includes solutions like Microsoft O365, medical management software like ADSTRA for dental offices, and security monitoring and filtering solutions, such as a firewall, malware detection, and threat detection software.

Not sure where to begin? Here’s a PIPEDA Self-Assessment Tool provided by the Office of the Privacy Commissioner in Canada to achieve compliance with PIPEDA.

Does PIPEDA Apply to My Business?

PIPEDA covers every private-sector organization in Canada that collects, uses, stores, or discloses personal information in the course of conducting business, including medical and dental practices, legal practices, and nonprofits.

In general, PIPEDA applies to commercial activities in all provinces and territories, except those organizations operating entirely within provinces with their own privacy laws that have been declared “substantially similar” to the federal law.

For example, organizations in Alberta are also governed by a provincial statute, the Personal Information Protection Act (PIPA), which is Alberta’s private sector privacy law, substantially similar to PIPEDA.

As a result, the provincial laws are followed there in place of the federal legislation, unless the organization does business with companies outside of Alberta, in which case PIPEDA compliance is required.

What Is Azure Compliance?

Azure Compliance is a Microsoft solution that allows you to streamline your compliance using Microsoft Azure – a cloud platform that meets the tracking, security, and reporting requirements of more than 90 compliance regulations around the world.

Azure provides the following commitment to users:

Control – Azure puts you in control of your privacy with easy-to-use tools and clear choices.

Transparency – Azure is transparent about data collection and use, so you can make informed decisions.

Security – Azure protects your data with strong security and encryption. To learn more, visit Microsoft Security.

Strong legal protections – Azure will respect your local privacy laws and fight for legal protection of your privacy as a right.

No content-based targeting – Azure will not use your email, chat, files, or other personal content to target ads to you.

Benefit to you – Azure will only collect data to benefit you and to make your experiences better.

Is Microsoft Teams PIPEDA/PIPA Compliant?

According to Microsoft,

the responsibility and ownership of personal data lies with our business customers, per the Online Services Terms. 

However, Microsoft contractually commits that Azure [has] implemented security safeguards to help them protect the privacy of individuals, based on established industry standards such as ISO/IEC 27001 and the SOC framework.

In short, Microsoft O365 and Azure meet the requirements specified by PIPEDA and PIPA, as long as these solutions are used according to the guidelines.

What Business Owners in Calgary Need to Know About Staying Compliant with Microsoft Office 365

Microsoft Teams, as a part of the O365 package, can be PIPEDA compliant.

However, the onus is upon the end user to properly configure the use of Microsoft Teams for collecting and storing data.

Microsoft Azure provides organizations with a reliable, scalable, and secure infrastructure environment with Canada-based data cloud services and storage.

For those businesses interested in a multi-pronged platform that improves compliance, the combined use of Office 365 and Microsoft Azure, can be an ideal solution when properly configured.

Office 365 and Azure Built-in Security Features

With Office 365, all data is housed in the cloud, minimizing potential IT infrastructure damage that may result from malware threats and phishing attacks. This agility means that your business can have a fast response to security threats, allowing you to remain competitive. The secure infrastructure offers peace of mind to businesses and their partners and clients.

Microsoft is also tapping into how AI can help businesses protect their data, offering information that will assess and compare the security levels of one business to that of other organizations. According to Microsoft, the Security Development Lifecycle (SDL) and Privacy Statement provide additional detail on the development process and transparent approach to keeping your data private.

  • Microsoft Security Development Lifecycle (SDL): privacy requirements are defined and integrated in the SDL, the software development process that helps developers build more secure products and services. The SDL helps address data protection and privacy requirements including effective privacy reviews of each release of a Microsoft product or service.
  • Microsoft Online Services Privacy Statement puts this commitment in writing and details Microsoft data protection policies and practices in clear, straightforward language.

Your Business Cannot Afford Non-Compliance

Many businesses remain non-compliant because they believe they cannot afford to invest in proper cybersecurity measures. However, your business cannot afford not to invest in PIPEDA and PIPA compliance.

Failure to comply with regulations can result in millions of dollars’ worth of fines, and breaches are costly in terms of more than just finances – customer loyalty, revenue, and reputation are all at stake too.

Compliance is critical for every organization, and an MSP can ensure that your business has the tools necessary to meet compliance requirements.

The experience we have had in 2020 with the global pandemic has revealed the vulnerabilities most businesses have in protecting data from phishing scams.

Implementing robust security that meets compliance requirements and protects employee and client data should be an urgent and immediate effort for every organization.

The ITeam is an authorized partner MSP for Office 365 and Azure. We transform unexpected costs into predictable monthly expenses, allowing your business to invest in an infrastructure that fits your unique needs. To learn more about our Microsoft services, contact us.