INDEPENDENT AUDITS FOR PIPEDA, MFIPPA, GDPR, AND OTHER PRIVACY REGULATIONS
More than ever organizations are being required to show stakeholders that they are properly protecting Personally Identifiable Information (PII). From Canada’s PIPEDA, Ontario’s MFIPPA, or the European Union’s GDPR, more and more regulations are being enforced, and with potentially severe consequences for non-compliance. Preparations for showing that proper care is being afforded these laws starts with a Privacy Impact Assessment review of your current situation. Should a regulator require evidence that you are following reasonable PII protection procedures, you will be confident in knowing you are well prepared with documentation at hand.
PIPEDA (Personal Information Protection and Electronic Documents Act)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.
MFIPPA (Municipal Freedom of Information and Protection of Privacy Act)
Every head of an institution shall ensure that reasonable measures respecting the records in the custody or under the control of the institution are developed, documented and put into place to preserve the records in accordance with any record keeping or records retention requirements, rules or policies, whether established under an Act or otherwise, that apply to the institution. 2014, c. 13, Sched. 6, s. 3.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.