Canada's federal law relating to data privacy, PIPEDA, was amended in 2015 to require that organizations keep a record of every breach, and notify affected individuals as well as Canada's privacy regulator, where there could reasonably be a risk of "significant harm." "Significant harm" contemplates a range of scenarios, from humiliation and reputational damage loss to property and financial losses. Now, as these mandatory data breach notification provisions are expected to finally come into force this year, data security will continue to be a growing concern for companies of all sizes.

Canadian organizations that carry on business South of the border will also have to keep a watchful eye on breach notification laws in the U.S., where 48 states have different regimes.

They will also have to pay close attention to the European Union's General Data Protection Regulation, which will come into effect in May. The GDPR has extra-jurisdictional reach and therefore may apply to certain Canadian companies that collect personal information on EU residents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.