Compliance · British Columbia
PIPEDA and BC PIPA Compliance for Vancouver Businesses
Hexafusion delivers practical privacy compliance for BC businesses subject to the federal PIPEDA, BC's Personal Information Protection Act (PIPA), or both. Documented privacy program, plain-English policy, working breach playbook, and a safeguards statement that holds up to a regulator response.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). Hexafusion is not a law firm and this page is not legal advice, but the privacy programs we deliver have stood up to OPC and BC OIPC scrutiny.
Which law applies to your business
Two privacy laws cover most BC private-sector businesses. The differences matter less than people think.
BC PIPA
The Personal Information Protection Act of British Columbia applies to almost every private-sector organisation operating in BC. Enforced by the Office of the Information and Privacy Commissioner for BC (OIPC). Mandatory breach reporting was added in 2023. Most BC dental clinics, law firms, accountants, retailers, manufacturers, and professional services fall under PIPA.
PIPEDA
The federal Personal Information Protection and Electronic Documents Act applies to federally regulated businesses (banks, telecom, interprovincial transport, aviation) and to any organisation that moves personal information across a provincial or international border in commercial activities. Enforced by the Office of the Privacy Commissioner of Canada (OPC). Mandatory breach reporting since 2018.
For most Vancouver businesses both laws apply: PIPA for BC operations, PIPEDA the moment data moves to a cloud provider in the US, Ontario, or elsewhere. A single privacy management program designed to the higher standard satisfies both. We design that way by default.
The 10 PIPEDA principles and what they mean in practice
| # | Principle | What you actually deliver |
|---|---|---|
| 1 | Accountability | Named privacy officer, documented responsibilities, published contact. |
| 2 | Identifying purposes | Written list of why you collect each category of personal information, before collection. |
| 3 | Consent | Form consent or opt-in mechanisms, withdrawal procedure, age-of-consent handling. |
| 4 | Limiting collection | Forms and intake processes designed to collect only what is necessary for stated purposes. |
| 5 | Limiting use, disclosure, retention | Written retention schedule, automated deletion or anonymisation, no secondary use without fresh consent. |
| 6 | Accuracy | Documented procedure to correct inaccurate information on request. |
| 7 | Safeguards | Physical, organisational, technological controls proportionate to data sensitivity. Big technical work area. See below. |
| 8 | Openness | Published privacy policy in plain language, contact information for privacy officer. |
| 9 | Individual access | Documented procedure to handle access requests within 30 days (extendable to 60 with notice). |
| 10 | Challenging compliance | Documented complaint procedure, escalation path to the privacy officer, then to the regulator. |
The safeguards principle is where IT work concentrates
Principle 7 (PIPEDA) and section 34 (PIPA) require safeguards proportionate to the sensitivity of the information. The OPC and BC OIPC have published findings over the past five years that establish a working baseline. As of 2026, every safeguards statement we deliver covers these controls explicitly:
Multi-factor authentication
On every account with access to personal information. Phishing-resistant factors preferred (passkey, FIDO2 key, app push). SMS only as a fallback.
Endpoint detection & response
Behavioural detection on every laptop, desktop, and server. Signature-based antivirus alone is no longer considered sufficient by OPC.
Encryption at rest and in transit
Full-disk encryption on every endpoint, TLS 1.2+ on all public-network traffic, encrypted backups, encrypted email for sensitive transmissions.
Vulnerability management
Monthly external scans, regular internal scans, critical patches within 30 days, documented remediation tracking.
Access control and least privilege
Role-based access, documented access matrix, quarterly recertification, separation of admin and user accounts.
Security awareness training
Annual training plus monthly phishing simulation. Documented completion records per employee.
Backup and recovery
Immutable backups, tested restores, documented retention aligned to legal hold and PIPEDA retention requirements.
Audit logging
Access to personal information logged, logs retained 12+ months, logs reviewed periodically or alerts automated.
Vendor and processor agreements
Written data processing addendum with every vendor handling personal information. Breach notification clauses, security commitments, deletion on contract end.
Breach response under 72 hours
Mandatory breach reporting is now the high-stakes operational moment in every privacy program. PIPEDA and PIPA both expect notification "as soon as feasible" once you determine real risk of significant harm. The practical bar both regulators apply is 72 hours in most cases. We design every privacy program with a 72-hour playbook so the team is not building it during the incident.
The five-step breach playbook we deliver:
- Contain (hour 0-4). Stop the bleed. Isolate affected systems. Rotate credentials. Preserve evidence (no system wipes, no log clearing).
- Triage (hour 4-12). Identify what categories of personal information were affected, how many individuals, root cause, threat actor profile.
- Decide (hour 12-48). Apply the real-risk-of-significant-harm test. Document the decision and the analysis. If reportable, draft the regulator notification and the individual notification in parallel.
- Notify (hour 48-72). Send the regulator notification (OPC, BC OIPC, or both). Send individual notifications via the most appropriate channel (email for breaches involving email addresses, mail for breaches involving postal addresses).
- Record and review (week 1-4). Maintain the mandatory breach record (required even for non-reportable breaches). Conduct lessons-learned. Update controls. Update the breach playbook itself.
See our deep-dive blog post: PIPEDA breach notification 72-hour playbook.
What we deliver in a PIPEDA/PIPA engagement
- Privacy management program document.
- Public-facing privacy policy in plain language, BC-jurisdictional.
- Internal consent procedure and form templates.
- Written safeguards statement mapped to PIPEDA Principle 7 and PIPA section 34.
- 72-hour breach playbook with named owners and decision tree.
- Template breach notifications (regulator and individual versions).
- Access and correction request procedure.
- Vendor data processing addendum template.
- Retention schedule and disposal procedure.
- Privacy officer accountability document.
- Annual privacy training deck for staff.
- Initial privacy impact assessment (PIA) for one major system or process.
Cross-border data and cloud providers
PIPEDA and PIPA both allow cross-border transfers but the originating organisation remains accountable. Practical implementation for the most common cloud platforms:
Microsoft 365
Canadian data residency option available for Exchange, SharePoint, OneDrive, and Teams content. Documented in the M365 admin centre. Microsoft Online Services Data Protection Addendum addresses PIPEDA requirements.
Google Workspace
Data Regions feature pins data to Canada or other regions for Drive, Gmail content, and Calendar. Google Cloud Data Processing Amendment satisfies the contractual requirements.
AWS and Azure
Both have Canadian regions. Region pinning at the resource level. DPA available. Most BC SaaS clients deploy primary regions in Canada Central (Azure) or ca-central-1 (AWS).
SaaS and marketing tools
CRM, email marketing, analytics, payment processors. Each requires a data processing addendum and a privacy policy mention. We maintain the vendor register.
Industry-specific applications
Dental clinics
CDSBC and CDA-CDSBC obligations overlap with PIPA. Patient records on practice management systems. We layer PHIPA-style controls on top of PIPA.
Medical clinics
PIPA plus the BC E-Health Act and CPSBC standards. EMR audit logs, role-based access, encrypted communications.
Law firms
Law Society of BC technology and confidentiality rules layer over PIPA. Client matter confidentiality is the higher standard.
Accounting firms
CPA-BC privacy expectations plus PIPA. Client financial data, tax records, sometimes payment information triggering PCI DSS as well.
Real estate
BCFSA conduct rules and PIPA. Client identification, source-of-funds documentation, transactional records.
Non-profits and charities
PIPA exempts non-profits in some narrow cases but most BC charities collect donor information in commercial activities and are fully covered.
FAQ
Does PIPEDA or BC PIPA apply to my business?
BC PIPA applies to almost every private-sector BC business. PIPEDA applies to federally regulated businesses and to inter-provincial or international transfers of personal information. Most BC businesses are subject to PIPA, and PIPEDA also engages whenever data crosses a border. A single program designed to the higher standard covers both.
What counts as a privacy breach that must be reported?
A breach of security safeguards involving personal information that creates a real risk of significant harm. Significant harm includes financial loss, identity theft, damage to reputation, employment loss, or other meaningful consequence for the individual. Even non-reportable breaches must be recorded.
How long do we have to report?
"As soon as feasible" after the real-risk-of-significant-harm determination. The practical bar is 72 hours. Notifications go to the regulator (OPC for PIPEDA, BC OIPC for PIPA) and to the affected individuals.
Do we need a designated privacy officer?
Yes. Both PIPEDA and PIPA require a named accountable person. Usually the owner, CFO, or operations lead in BC SMBs. Title is less important than published contact information and documented authority.
What does a regulator response look like?
A written information request, usually with a 30-day response deadline. Common asks: copy of privacy policy, breach response procedure, safeguards documentation, records of training, vendor agreements, and incident records for any breach involved. Cooperation is the path of least resistance. We help draft responses and assemble evidence.
What is the penalty exposure?
PIPEDA currently has knowingly-violated offences with fines up to CA$100,000. Bill C-27 (Digital Charter Implementation Act) proposes administrative monetary penalties up to 5 percent of global revenue or CA$25 million when fully proclaimed. PIPA currently has lower penalty exposure. Reputational damage from a published finding often exceeds the statutory penalty.
Can we keep using US-based cloud providers?
Yes, with proper documentation. Both laws permit cross-border transfers as long as the originating organisation remains accountable. Practical requirements: data processing addendum with the provider, notice in your privacy policy, and a risk assessment. We handle all three.
How does this interact with PCI DSS or SOC 2?
Mostly additive in a good way. PIPEDA/PIPA safeguards overlap heavily with PCI DSS requirements 5-12 and with SOC 2 Common Criteria controls. We deliver evidence packages that map across all applicable frameworks, so you build the work once and use it everywhere.
Book a privacy assessment
30-minute conversation to identify which law applies to you, where the gaps are, and what a defensible privacy program looks like for your industry. Free.
Book a privacy assessmentRelated compliance topics
Part of our broader compliance coverage for Vancouver and BC businesses.