GRACE For PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)

Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada: the “Privacy Act”, which covers how the federal government handles personal information and the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how businesses handle personal information. The act applies to the collection, use or disclosure of personal information during a commercial activity, and affects all transactional organizations, as well as federally regulated ones, including banks, telecommunications and transportation companies. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

The principles of PIPEDA are: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; challenging compliance.

Mandatory data breach reporting and notification at the federal level was introduced with amendments to PIPEDA enacted by the Digital Privacy Act (Bill S-4). Bill S-4 came into force on June 18th, 2015, but the date on which the new data breach provisions would come into effect remained unknown until the recently Order In Council, dated March 26th, 2018 (Order In Council 2018-0369) which stated that the provisions of the Digital Privacy Act relating to data breaches came into force on November 1st, 2018. Failure to report the potential for significant harm can result in fines of up to $100,000 for each time an individual is affected by a security breach.

Firms that operate entirely within the provinces of Alberta, British Columbia and Quebec need to be aware that these three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA. This means that those laws apply instead of PIPEDA in some cases.

What then can firms do?

So, with ever stringent data privacy and data protection laws coming into force around the world, what can, or what should, firms be doing?

Firstly a firm needs to have a set of policies and procedures that align its activities with the regulations it needs to comply with. Risk and compliance officers need to ensure that these documents not only exist, but are actively lived within the organization – that staff have read and understand their obligations as they related to their roles in the organization.

Secondly, is to know what personal data you have, where it is stored, how it is protected, who has access to it, does it leave the organization for processing by a third-party? This data register needs to be kept up to date, while we have seen some firms conduct a point-in-time audit of their data assets this has then been left to sit on a shelf and is out of date almost as soon as it has been created. Correctly implementing data retention policies is key to ensuring that data is correctly destroyed once it is no longer required by the organization. Technology tools can add greatly to the effectiveness of audit and remediation activities.

Third-party vendors who perform processing on behalf of the organization must be audited to ensure that they are meeting their obligations with regard to the protection of personal data. This includes collecting supporting evidence to ensure that third-party vendors have the correct policies, procedures, and protection mechanisms in place, and are prepared to deal with, and inform, in event of a breach. Third-parties who do not provide the required information, or do not have the correct controls in place must be correctly managed, and the risks associated with sharing data with them highlighted to the board for action.


Staff must not only be aware that policies exist and that they have obligations surrounding how they deal with personal data – they must be continually trained to ensure that they have the right skills to act in the correct way. Storing personal data on laptops, mobile devices, tablets, USB drives all add greatly to the risk of a data breach – there have been many highly publicized cases of laptops being left on trains, in cafes and even being stolen in corporate espionage situations.

Individuals with specific responsibilities, for example, those responsible for responding to, and reporting breaches need to have specific training to ensure that they are correctly prepared to react within prescribed time limits. Staff continuity planning is essential – in many organizations staff change role, new staff join and others leave – it is vital to ensure alignment between the roles and responsibilities and those carrying out these roles; this includes providing training upon joining the firm, changing roles, as well as ensuring that there are plans in place to back-fill in event of unexpected departures.

In all cases, it is vital that data privacy training be more than a simple check-the-box exercise – it is essential that staff consider the protection of data to be an innate part of their role and responsibility. Training should include the whole organization – the CEO should not be excluded simply because he or she is senior in the organization, in fact many CEOs spend a large proportion of their time on the road and carry with them a multitude of devices such as laptops and smartphones.

Training should be structured to ensure that staff are engaged and interested – including case studies, practical examples and quiz-based testing can all help retention.

How does GRACE help?

The La Meer GRACE platform is a web-based, tablet-enabled, mobile-ready platform that makes risk and compliance management easy and organized. GRACE’s modular platform provides a suite of tools which provide an integrated approach to governance, risk and regulatory compliance management. Our modular platform offers Integrated By Design but Modular by Approach to allow firms to create an extensible custom product suite with the right features to meet the immediate business goals, while at the same time allowing for additional functionality to be easily switched on through configuration as business needs change.

The platform is ready to use from day one, reducing costs and increasing value in the organization to create an immediate return on investment.

The GRACE platform is built on an industry-standard Oracle stack, and can be deployed on-premises (where Oracle is available), in the cloud, and in private/hybrid certified cloud environments.
Our cloud-based offering is available in multiple jurisdictions, including the United States, Canada, UK, Switzerland, and throughout the European Union, ensuring that data remains within the customer’s jurisdiction to meet regulatory and end-customer needs. Data privacy, data protection, security, reliability, and availability are taken seriously and have been designed into the product from the ground-up.

You can pay as you go for only the modules you use. GRACE’s multi-lingual capabilities enable you to deploy it worldwide. You can integrate GRACE to your source systems and enhance its capability to make it your own system.

GRACE for Data Privacy is a complete solution to help firms manage their obligations to data privacy,
IT and vendor-risk management. The solution is multi-jurisdictional and is optimized to enable organizations to comply with their obligations with respect to Europe’s GDPR, California CCPA, and Canadian Privacy Statutes (Federal PIPEDA, Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and Quebec’s Loi sur la protection des renseignements personnels dans le secteur privé).

GRACE provides a comprehensive toolkit to help the needs of Data Processing Officers (DPOs), IT Governance Managers, Heads of Risk and Compliance, Operational Risk Managers, Audit Leaders and the Board to address regulatory requirements.

GRACE provides you a visible integrated single source of truth for the organization and helps prove compliance to regulators. Built on industry standards, COBIT, ITIL and other cyber-security guidelines, GRACE can help you implement privacy compliance, without costing large sums of money.

Manage information you hold by building and keep updated your inventory of personal data that the organization holds and monitor the protections in place for the information.

GRACE helps you:

  • Identify the lawful basis for processing data and document them.
  • Monitor, manage and review how you ask for and record consent.
  • Monitor that individual right requests are managed properly throughout the organization.
  • Create, manage and keep-updated policies and procedures.
  • Conduct DPIA (Data Protection Impact Assessment) within the organization and with outsourced vendors who handle your data.
  • Highlight risks and ensure that all risks identified are mitigated properly.
  • Record data privacy violations and personal data breaches and ensure proper reporting to clients and regulators and proper, mitigation steps are taken and concluded.

About La Meer Inc.

La Meer Inc., founded in 2010, is a Silicon Valley firm that offers the GRACE Suite of products to
addresses a variety of aspects of risk management, from operational risk, compliance management,
operational due diligence, client management, KYC, AML, and IT and vendor risk – that address world-wide regulations.  Today La Meer is present in the US, Canada, UK and the EU, servicing clients throughout North America and the European Union.

Our team comprises of people with deep subject matter knowledge and technology expertise
gained in their extensive global experience, including building and implementing complex systems like the Bombay Stock Exchange on-line trading, credit data warehouse, derivatives technologies, integrated treasury, and corporate and private banking areas.  Their experiences include working for major corporations including Citibank, Silicon Valley Bank, and CMC Limited.

GRACE offers comprehensive functionality specifically built to address regulatory needs in the financial segments of banking, asset management, capital markets, and institutional investments. Built on the market leading Oracle stack, availability, reliability, redundancy, resilience, data protection, and data privacy are all inherent in the platform. GRACE’s modular architecture allows firms to have the benefits of a custom solution delivered through configuration of the modules needed to suit their own requirements.

For more information on the product features, please look at our website, or to arrange a demo, feel
free to call or email one of our team.

La Meer Inc. A Risk and Compliance Solutions company for Financial Markets.