Skip to main content
  • Cybersecurity

Bill C-27 is here: will you be ready?

By Mason Rodney
Public Affairs Coordinator

CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the third blog post in a series of five for 2022.

As consumers become more acutely aware of the importance of safeguarding their personal data, governments around the world are strengthening data privacy laws to protect them. In June the Government of Canada introduced Bill C-27, the Digital Charter Implementation Act, 2022, an update to Canada’s federal private sector privacy law. If passed, the new law would replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) with the Consumer Privacy Protection Act (CPPA).


Many Canadian organizations not aware of Bill C-27

As part of CIRA’s 2022 Cybersecurity Survey, we asked cybersecurity professionals if they were aware of Bill C-27. Surprisingly, only 55 per cent said they were. Of these, 59 per cent said they are concerned about the potential impact of the bill on their organization. With good reason: for organizations that fail to comply with the newly proposed regulations, the penalties are severe. Those found guilty of an indictable offence can be fined up to 5 per cent of global revenues or $25 million, whichever is greater.

Among other proposed changes, Bill C-27 would require organizations in the private sector to implement a variety of new procedures for collecting and handling consumers’ personal information. For example, organizations would be required to obtain an individual’s valid consent for the collection, use or disclosure of their personal information and stop collecting and using their data when an individual withdraws their consent. The bill would also require organizations to establish and maintain a privacy management program and make information about their policies and practices available in plain language for their customers, employees and others.

Other major provisions of the new privacy regulations include: the establishment of a new Personal Information and Data Protection Tribunal to review recommendations from the Privacy Commissioner of Canada and impose penalties when necessary; and the creation of new rules for the responsible development and deployment of artificial intelligence (AI).


What are the implications for Canadian organizations?

The collection of personal information by Canadian businesses is a widespread practice. According to CIRA’s survey, 63 per cent of Canadian private sector organizations collect personal information from customers, employees, suppliers, vendors or partners as part of their ongoing business operations. At the same time, data breaches are relatively common. According to the survey, about a third of organizations (29 per cent) experienced a breach of customer or employee data last year.

Under Canada’s existing data privacy law, organizations that experience a data breach are required to inform the individuals affected if it creates a risk of significant harm. However, just 44 per cent of organizations that experienced a breach said they informed their customers. Knowingly contravening provisions in the bill related to the reporting of data breaches is just one area that has the potential to result in significant monetary penalties and fines.

But avoiding severe financial penalties is not the only takeaway from these survey results. Complying with privacy laws must go hand in hand with strong cybersecurity protections that prevent user information from being compromised by the growing list of threats that organizations face today. Protecting your customers’ privacy is good for business. It builds trust among your customers and employees and can give your company a competitive advantage in the market.


Next steps: How to prepare if the bill is passed

While it’s likely there will be at least some changes to Bill C-27 before it passes into law, now is the time to start preparing your organization to comply with the new regulations. The proposed changes are substantial and will require a concerted effort to ensure your organization is ready.

Getting an assessment from a third-party security expert is a great way to kick-off the process and identify any shortcomings in your organization’s data privacy procedures, as well as in your cybersecurity protections.

Training employees on safe data handling practices for user information and cybersecurity awareness is another key step for ensuring your organization is well prepared. That’s why CIRA offers Cybersecurity Awareness Training, which provides phishing simulations, courses, gamification and reporting, all in one platform, and empowers your employees to prevent and report cyberattacks.

Another option to consider in preparing for the new data security legislation is the CyberSecure Canada program. This Government of Canada program can help you improve your organization’s cybersecurity posture by enhancing employees’ cybersecurity knowledge, limiting the impacts of cyber incidents and more. In January 2023, the program is updating its certification requirements to align with the National Standard developed by the CIO Strategy Council for cybersecurity controls for small- and medium-sized organizations.

Here at CIRA, we’re watching the passage of Bill C-27 closely. While the bill is subject to change, one thing that remains constant is the need to up your organization’s cybersecurity awareness.

About the author
Mason Rodney

Mason is the Public Affairs Coordinator in the Community Investment, Policy and Advocacy team at CIRA. He supports CIRA’s government relations, stakeholder outreach and policy research and analysis to help build a trusted internet for all Canadians.