pipeda vs gdpr

PIPEDA Vs GDPR has for long been a topic of discussion among businesses looking to achieve Compliance with both the Data Privacy law. Today, globally Data Privacy and Data Protection laws have significantly impacted businesses dealing (collect, store, process, sell) with sensitive Personal Data. Regardless of the size or the industry, it operates in, organizations are expected to comply with the Regulation if it applies to them.

Most countries have Data Privacy and Data Protection laws that govern the way how businesses handle Personal Information. Regulatory Bodies around the globe have introduced Data Privacy law like the General Data Protection Act (GDPR) in the EU, the California Consumer Privacy Act of 2018 (CCPA) in the U.S., and the Personal Information and Electronic Documents Act (PIPEDA) in Canada to address the Data Privacy issues.  

Although GDPR and PIPEDA are both internally recognized Data Protection laws, yet they are quite different in terms of law and requirements. In today’s article, we have drawn-out some key differences in both regulations (PIPEDA Vs GDPR). This will help organizations understand why complying with one law will not guarantee compliance with the other. But before we read through the high-level comparison of the two regulatory frameworks let us first understand both the laws.

What is GDPR?

Implemented on May 25, 2018, the GDPR Regulation is an EU Data Privacy law applicable to businesses dealing with Personal Information. Currently, it is one of the most comprehensive Data Privacy laws designed to address the growing concerns of Data Protection and Privacy. The law has significantly contributed to the legislative Privacy development in the EU and EEA.

What is PIPEDA?

Similar to the GDPR Regulation, PIPEDA is Canadian legislation designed to keep the Data Privacy Standards consistent with its major counterparts, particularly the EU. Personal Information Protection and Electronic Documents Act is a Data Privacy law in Canada that came into effect on 13th April 2000. It is a Regulation that governs how private sector organizations handle Personal Information during their commercial business. Further, the PIPEDA Act contains various provisions that facilitate the use of electronic documents.

PIPEDA Vs GDPR- High-Level Comparison

PIPEDA and GDPR regulatory frameworks have significant nuances that broadly draw on fair Data Privacy practices in their respective jurisdiction. Given below are some key high-level differences outlined for your better understanding.

Title PIPEDA GDPR
Application of Law PIPEDA applies to private sector organizations that collect, use, or disclosure personal information for commercial activity. The law is also applicable to small businesses, and some non-profit and charitable trusts that are considered as conducting “commercial activity”. Example – Data Controllers & Data Processors. GDPR applies to any organization processing of personal data of residents of the EU, regardless of their business location. It is equally applicable to organizations that control or process data concerning the offering of goods or services or monitoring the behavior of EU residents for advertising. Example – Private Sector Organization.
Individuals Protected Any individual who does not necessarily have to be a citizen or resident of a specific country or region are protected by the law. Any individual or person who is a resident in the EU, or EU citizensis protected by the law.
Jurisdiction of Applicable Law PIPEDA is a federal law that applies across the whole of Canada, except in provinces where a substantially similar Data Protection law already exists. GDPR is uniformly applicable across the whole of the EU.
Data Protection Personal Information must be protected in accordance with its sensitivity, and evolving risk landscape. Organizations must adopt security measures to protect Personal Information against loss or theft, unauthorized access, disclosure, copying, use, or modification. Measures to protect Personal Information must include physical, organizational, and technological measures. Personal Information must be protected taking into account technology and the evolving risk landscape.  Personal Information must be processed in a manner that ensures the security of data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Organizations must implement and integrate the necessary Data Protection Principles to safeguard Personal Information.
Accountability The organization is responsible for Personal Information under its control and must appoint one or more individuals accountable for the organization’s privacy compliance. The Data Controller or Processor must designate a legal representative in the EU who can represent the organization for EU Obligation. Under certain circumstances, a Data Protection Officer must also be appointed.
Individual Rights The PIPEDA law includes the following Rights of Individuals – Right to Access Personal Information.  Right to amend Personal. Information for accuracy. Right to withdraw consent at any time subject to legal or contractual restriction and reasonable notice.Right to erasure is limited or far narrow than that of GDPR   The GDPR law includes the following Rights of Individuals- Right to Access Personal Information.Right to amend Personal Information Right to withdraw consent.Right to erasure Right to Data PortabilityRight to restriction of Processing. Right not to be subject to automated decision-making
Privacy Requirements PIPEDA Requirements pertaining to Privacy includes the principles of Openness wherein businesses are obliged to make certain information available to consumers including- Contact details of the organization.The type of Personal Information the company stores. How Personal Information is used. Provide details on the Right to Access. A copy of relevant company policy. Details of any Personal Information shared with related organizations. GDPR Requirements pertaining to Privacy includes transparency covering virtually all information about how a data controller processes personal information. This would include- Identity & Contact details of the Data Controller. Type of Personal Information the company processes.Purpose and means of Processing Lawful basis of processing. Duration of withholding the informationThird-parties with whom the information be shared. Information on exercising Data Subject Rights and how they can make a complaint.  Details on automated decision making.
Data Processing Consent Under PIPEDA, organizations can seek implied or explicit consent. The consent required is based on the sensitivity of the Personal Information collected and the reasonable Data Processing Consent expectations of the data subject.  GDPR requires organizations to gain explicit consent from data subjects, who must be informed of a request for consent in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. However, GDPR provides for exceptions from the requirement for consent in certain circumstances.
Law Enforcing Authority Office of the Privacy Commissioner (OPC) is an independent public authority responsible for investigating complaints made under PIPEDA. The OPC largely has investigative powers to demand information and conduct audits. Data Protection Authority (DPA) has the power to enforce the GDPR Regulation. DPA’s are independent public bodies with three broad types of powers which includes- Investigative Powers to demand information conduct audits and enter premises. Corrective Powers to issue warnings, and fines.Advisory Powers to advise lawmakers and approve Standards. 
Breach Notification An organization must notify-  The Federal Privacy Commissioner about the breach involving Personal Information under its control if it is reasonable in the circumstances to believe that the breach can significantly harm the individual. Notify an individual of a breach that is reasonable in the circumstances to believe that it can significantly harm the individual. Where possible the Data Breach should be notified at the earliest. A Data Controller must notify – Applicable Supervisory Authority in case of a data breach that is likely to result in a risk to the rights and freedoms of the data subject. Notify Data Subject about the breach that is likely to result in a high risk to their rights and freedom. Where possible the Data Breach notified should be within 72 hours
Penalties PIPEDA penalties can be fined up to $10,000 or $100,000 depending on the severity of the offense. GDPR penalties can be severe and can range up to €20 million, or 4% of a company’s annual turnover (whichever is higher)
Compensation In certain circumstances, the Federal Court may order an organization to correct its privacy practices and compensate the individual for damages. Under the GDPR Regulation, the Data subjects have the right to an effective judicial remedy and receive compensation for any material or non-material damage arising from infringement.

Also Read:- GDPR Compliance In Canada For Canadian Business

Conclusion

While we have covered most of the differences between both the regulations in the above GDPR VS PIPEDA table, it is clear that being Compliant with one regulation does not make you compliant with the other. However, it does make your Compliance journey a lot easier.

The above-stated differences clearly show that GDPR is more comprehensive and demanding. But both the regulation focuses on the principles of transparency and accountability. This definitely helps in setting a foundation for your Compliance efforts. For organizations running a business in the European Union or Canada, will need to strictly follow the Privacy Laws and Standards. 

VISTA InfoSec is an international Cyber Security Consulting firm having all the knowledge and experience of Industry Standard Compliance and Regulations. Having been in the industry for nearly two decades, VISTA InfoSec can help organizations like you in your efforts of achieving GDPR and PIPEDA Compliance. Our industry knowledge and expertise will ease your journey of Compliance and ensure your business is Compliant by adopting industry best practices for Compliance. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.