National | Store Operations

Avoid new $100,000 penalties in force as of November 1, 2018 – New federal requirements on data breach record-keeping and reporting

Avoid new $100,000 penalties in force as of November 1, 2018 – New federal requirements  on data breach record-keeping and reporting

As of November 1, retailers must notify the federal Office of the Privacy Commissioner (OPC) if they experience a data breach that creates a “real risk of significant harm” with personal information that your organization controls.

Record-Keeping: You are required to maintain records of security safeguards and all breaches, whether or not a breach meets this threshold for reporting.

“Real risk of significant harm” means a consideration of the:

  • Sensitivity of the personal information involved. For example, if information that is already publicly available elsewhere (e.g. online, in the phone book) may be less sensitive than credit card numbers.
  • Probability that the information has been, is, or will be misused.

Reporting: You must also notify other organizations if they may be able to mitigate or reduce the risk of harm to the individuals affected.

For example, notify:

  • Law enforcement if an attack on your computer system comes from malicious state or commercial actors.
  • Banks or credit card companies if your customer’s payment information is compromised.

Penalties: Failure to report a breach or to maintain records is an offense under the new laws, punishable by a fine of up to $100,000.

RCC Action:

  • RCC success to date:
    • Reasonable reporting requirements, i.e., only in incidents of significant harm
    • Flexibility within your business to determine what constitutes significant harm
    • Flexibility on what must be reported – information directly related to the incident
  • RCC will advise members of all new developments, including guidance for compliance and enforcement activities carried out by government.

For more information, please either visit the website of the Office of the Privacy Commissioner’s page on breach reporting obligations.

If you have any questions or concerns, please don’t hesitate to contact: Jason McLinton, Vice President, Grocery Division and Regulatory Affairs at: or 613-656-7903 or Cory Anderson, Manager, Government Relations and Regulatory Affairs at: or 613-656-7901


About the author

Retail Council of Canada (RCC) has been the Voice of Retail in Canada since 1963. We speak for an industry that touches the daily lives of Canadians in every corner of the country — by providing jobs, career opportunities, and by investing in the communities we serve.

Be heard. Save money. Stay informed.

Become a member