// Blog / Guide

Data breach notification: what a Canadian small business must do

Compliance 7 min read intrasec
Share

When personal information is lost, stolen, or exposed, cleaning up the mess is only half the job. Under Canadian privacy law, a breach can also trigger a legal duty to report it, to a regulator, to the people affected, and sometimes to others, and to keep a record either way. The rules are not as scary as they sound, but the time to understand them is before an incident, not during one. Here is what a small business actually has to do.

A breach is a legal event, not just an IT problem

It is tempting to treat a breach as something the IT side handles quietly: contain it, fix it, move on. But reporting is a separate obligation from cleanup, and skipping it can turn a manageable incident into a regulatory one. The good news is that the law does not ask you to report every minor slip to the world. It asks you to apply a clear test, act on it, and write down what you decided.

When you actually have to report

Federally, PIPEDA sets the trigger: you must report a breach when it creates a "real risk of significant harm" to an individual. "Significant harm" is broad, it includes identity theft, fraud and financial loss, damage to reputation or relationships, and loss of a job or business opportunity. Whether the risk is "real" turns on two things: how sensitive the information is, and how likely it is to be misused. A stolen laptop full of client financial records is a clear yes; a single internal email sent to the wrong colleague may well be a no. If a breach meets that bar, the reporting duties below kick in. If it does not, you still have to record it (more on that shortly).

Who you have to notify

When a breach is reportable, the duty usually runs three ways:

  • The regulator. Federally that is the Office of the Privacy Commissioner of Canada (the OPC). If you handle the personal information of Quebec residents, you also report to Quebec's Commission d'accès à l'information (the CAI) under Law 25.
  • The affected individuals. The people whose information was exposed must be told directly, so they can protect themselves.
  • Anyone who can reduce the harm. Sometimes that means notifying another organization, a payment processor, a bank, or law enforcement, that can help limit the damage.

How fast, and what the notice has to say

The standard is "as soon as feasible" after you determine that a reportable breach has happened, so this is not something to sit on for weeks. The notice to affected individuals should be in plain language and cover the essentials: what happened, what information was involved, what you are doing about it, and what they can do to protect themselves, such as changing passwords, watching their accounts, or placing a fraud alert. Clear, prompt, honest notice also does more to preserve trust than silence ever does.

The record-keeping rule almost everyone misses

Here is the part that surprises most small businesses: under PIPEDA you must keep a record of every breach of security safeguards, even the ones you decide are not reportable. The OPC can ask to see those records, and federally you are expected to keep them for two years. In practice this means a simple breach log, a short entry for each incident noting what happened, when, what data was involved, your risk assessment, and what you did. It takes minutes per incident and it is exactly what an investigator, or an insurer, will ask for.

Quebec's Law 25 raises the bar

If your business touches the personal information of people in Quebec, even from outside the province, Law 25 adds its own breach duties: report incidents that present a risk of serious injury to the CAI and to affected individuals, and keep a register of confidentiality incidents. The thresholds and wording differ slightly from PIPEDA, so a business operating across Canada should plan to the stricter of the two. Our Law 25 guide covers what else that law requires.

Do it in order: a short playbook

If a breach happens, work through it in this sequence:

  • Contain it first. Stop the bleeding before anything else (our incident response guide covers the technical first hour).
  • Assess the risk. Apply the "real risk of significant harm" test: how sensitive is the data, how likely is misuse.
  • Record it in your breach log, whether or not it turns out to be reportable.
  • Notify the regulator and the affected individuals if it meets the bar, as soon as feasible.
  • Document and review. Keep the evidence, and fix whatever let the breach happen.
// Free 2-minute quiz

Where does your privacy program stand?

Twelve quick questions to gauge your readiness under Canadian privacy rules like Law 25 and PIPEDA, including breach response.

Take the quiz

Want your breach-response and reporting plan sorted before you need it?

Talk to us

Related

Guide Cybersecurity Jun 14, 2026

Your first hour after a cyberattack: an incident response plan

When something goes wrong, the first hour decides how bad it gets. Who to call, how to contain it, and what not to do.

Read article →
Guide Compliance Jun 22, 2026

How to build a privacy management program for your small business

What a privacy management program actually is, and a plain-language, step-by-step way for a small business to build one.

Read article →
Service

Cybersecurity Strategy

Set your breach thresholds, log, and response plan in advance, so reporting is a process, not a panic.

Learn more →