--- description: The proposed CPPA aims to combat cyberattacks and establish a new private-sector data privacy law on the disclosure and use of personal data. image: https://gdm-localsites-assets-gfprod.imgix.net/images/getapp/og_logo-94fd2a03a6c7a0e54fc0c9e21a1c0ce9.png title: Data protection and the CPPA: What you need to know --- # Data protection and the CPPA: What you need to know Canonical: https://www.getapp.ca/blog/2197/cppa-business-compliance-canada Published on 2021-09-02 | Written by Sukanya Awasthi. ![Data protection and the CPPA: What you need to know](https://images.ctfassets.net/63bmaubptoky/2T3Nk20iF43Bfy4csMLD3X289vBTMTNvpv9KdClio0Q/91e5ad16543390cbb09ab93d133ab2a3/Header-Data-Protection-and-the-CPPA-CA-GetApp-2.jpg) > Canada has suffered several cyberattacks in the recent past. On top of that, the pandemic has pushed companies to take most of their business online, which makes them susceptible to increased cyberattacks and data breaches. Last year, about 61,000 small to midsized enterprises (SMEs) fell victim to cyberfraud according to a survey conducted by the Canadian Federation of Independent Business (CFIB). Moreover, due to the impact of targeted ransomware attacks, the average demand for ransom jumped by 33% from Q4 2019 to CA$148,700 in Q1 2020 according to the National Cyber Threat Assessment 2020 by the Canadian Centre for Cyber Security.  ----- ## Article Content Canada has suffered several cyberattacks in the recent past. On top of that, the pandemic has pushed companies to take most of their business online, which makes them susceptible to increased cyberattacks and data breaches. Last year, about 61,000 small to midsized enterprises (SMEs) fell victim to cyberfraud according to a survey conducted by the Canadian Federation of Independent Business (CFIB). Moreover, due to the impact of targeted ransomware attacks, the average demand for ransom jumped by 33% from Q4 2019 to CA$148,700 in Q1 2020 according to the National Cyber Threat Assessment 2020 by the Canadian Centre for Cyber Security. As a consequence, the Consumer Privacy Protection Act (CPPA) has been proposed in the Canadian parliament in an attempt to enhance data security, prevent data breaches and provide greater transparency to users about how businesses utilize their personal data.What is the CPPA?On 7 November 2020, Bill C-11 —or the Digital Charter Implementation Act (DCIA), composed of the CPPA and the Personal Information and Data Protection Tribunal Act (PIDPTA)— was proposed in the House of Commons. The government has estimated that it will take approximately 18 months for the CPPA to become law and replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA aims to combat cyberattacks and establish a new private-sector data privacy law around the disclosure and use of personal data, whilst maintaining PIPEDA’s governing principles.While the act hasn’t been passed yet, in this article we’ll explore its implications for businesses if it does become law. This can help organizations become better equipped to manage upcoming changes to data privacy laws.Why is data compliance important?Data compliance is important to oversee the protection of the personal information of Canadian citizens. According to a study conducted by the CFIB, over a quarter of firms have been the victims of cyberattacks since March 2020, with 5% stating that the attack on them had been successful. In such a scenario, data protection and data management become high-priority tasks. Not only does data protection prevent data misuse for fraud, phishing, and theft, it also helps organizations with the following:Building client trust in your business:Businesses need to protect their data from security risks in order to prosper. Despite the fact that various data privacy regulations are often similar, companies must carefully evaluate each new legislation to ensure compliance and earn the trust of their customers.Safeguarding your business from data breaches: Protecting a company’s data is not only a legal formality, it is also critical to keep data from being misused and misinterpreted. When a data breach occurs, businesses risk damaging their brand reputation and losing out on consumer loyalty. With compliance management, regular risk assessments, and periodic audits, businesses can minimize the risk of data breaches.Protecting your business from complaints: An upcoming piece of legislation, the PIDPTA, has been proposed in parliament to enhance data protection laws. This act aims to provide Canadians with clearer and more controllable access to their personal information and also ensure that business owners can be sued directly for mishandled data incidents.Data protection enforcement changes under the CPPASeveral changes to the existing infrastructure have been proposed under the new act. The Privacy Commissioner of Canada provides privacy priorities and guidance on how to safeguard data, and acting upon advice from the Office of the Privacy Commissioner of Canada (OPC), the Personal Information and Data Protection Tribunal, established under the CPPA in its proposed form, will have the authority to impose penalties and fines.Non-compliant businesses may face administrative fines of up to 3% of worldwide sales or CA$10 million levied by the OPC. Non-compliance can also result in fines of up to 5% of an organization’s annual sales, or CA$25 million. To avoid these penalties, businesses can automate the implementation process of administering compliance requirements, process and workflow implementation, risk management, and overall compliance management through the use of compliance management software. The following section will outline the requirements set out in the current draft of the proposed legislation so that SMEs can begin to prepare for compliance.How will the CPPA impact businesses?The CPPA is expected to be implemented in all businesses that gather, utilize, or disclose personal data. The proposed legislation may expand the data responsibilities placed on organizations by requiring them to create a plan for privacy management and data protection. Here are a few things to keep in mind when it comes to the CPPA and how it may affect your business:1. Protection of internal dataThe CPPA aims to overhaul the present PIPEDA structure and hold companies entirely accountable for the security of the personal information they collect, use, or disclose, whether for themselves or a third party. Similar in essence to Europe’s General Data Protection Regulation (GDPR), the draft legislation features greater enforcement capabilities and significantly harsher punishments for anyone who breaches the law.2. Data mobility and disposal rights for consumersThe CPPA, like the PIPEDA, contains provisions that will allow individuals to access, update, and dispose of their personal information. This right of disposal would allow users to request that a website delete their personal data, and the right to data mobility would offer users the option to move their personal information from one organization to another. The current draft of the CPPA also states that any modifications to such information would have to be notified to the third parties who hold access to a user’s personal data.3. Transparency of algorithms usedUnder the proposed CPPA, individuals will have the right to an explanation for any forecasts or decisions made by automated decision-making systems. If any organization uses techniques like machine learning, predictive analytics, and regression analysis to make a forecast, decision, or suggestion to the users, then that organization shall be required to provide an explanation of how the results were obtained. 4. New data de-identification guidelinesNew regulations governing de-identification (a method of preventing the disclosure of a user’s personal information) may be imposed on businesses. Different technological and administrative processes can be used to de-identify personal information. According to the current draft of the CPPA, one way to deal with personal data which is no longer required for identification purposes is to make it anonymous. In addition, businesses would need to safeguard such personal information while also stating the restricted circumstances in which it may be used without a consumer’s permission.Next stepsIf enacted as currently drafted, the CPPA could have significant financial consequences for businesses found to be non-compliant. It is critical that private-sector organizations become familiar with the proposed legislation in order to ensure that their policies and procedures are updated to reflect these potential changes. By understanding Canada’s CPPA, businesses can ensure they are compliant with the regulations and better prepare themselves for upcoming changes.Looking for data management software? Check out our catalogue\!Note: This document, while intended to inform our clients about the current data privacy and security challenges experienced by companies in the Canadian marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel. ## About the author ### Sukanya Awasthi Sukanya Awasthi is a content analyst for Capterra, covering emerging technology trends with a focus on retail, construction and ERP. With an educational background in Computer Science, she brings 8 years of hands-on experience to her writing, translating intricate technical concepts into accessible and informative insights. Sukanya’s research and analysis is informed by nearly 200,000 authentic user reviews on Capterra and over 40,000 interactions between Capterra software advisors and software buyers. Sukanya also regularly analyzes market sentiment by conducting surveys of business leaders in the construction space, as well as retail leaders and consumers, so she can provide the most up-to-date and helpful information to small and midsize businesses purchasing software or services. Her work has been featured in Financial Express, Economic Times, and Bloomberg Quint, among other publications. Outside of work, she likes to spend time with her loved ones and her two dogs. ## Related Categories - [Cloud Security Software](https://www.getapp.ca/directory/291/cloud-security/software) - [Cybersecurity Software](https://www.getapp.ca/directory/1035/cybersecurity/software) - [IT, Server & Network Monitoring Software](https://www.getapp.ca/directory/652/it-server-network-monitoring/software) - [Network Monitoring Software](https://www.getapp.ca/directory/480/network-monitoring/software) - [Network Security Software](https://www.getapp.ca/directory/1443/network-security/software) ## Related Articles - [How to prepare your business for a recession using software?](https://www.getapp.ca/blog/3168/prepare-your-business-for-recession) - [Digital reputation: How can SMEs reassure consumers about cybersecurity?](https://www.getapp.ca/blog/3629/digital-reputation-perceptions) - [Over half of Canadian companies have a deepfake response plan in the wake of rising cyberthreats](https://www.getapp.ca/blog/6866/cybersecurity-measures-canadian-business-deepfake-plan) - [Ethics in generative AI: Concerns and potential solutions for businesses](https://www.getapp.ca/blog/4149/ethics-in-generative-ai) - [Digital trends for Canadian SMEs in 2022](https://www.getapp.ca/blog/3220/digital-presence-trends-2022) ## Links - [View on GetApp](https://www.getapp.ca/blog/2197/cppa-business-compliance-canada) - [Blog](https://www.getapp.ca/blog) - [Home](https://www.getapp.ca/) ----- ## Structured Data