CanucktAI
Glossary

Privacy breach notification

Privacy breach notification is the legal duty to report a security incident involving personal information to regulators and affected individuals when it poses a real risk of significant harm.

Under PIPEDA, an organization that suffers a *breach of security safeguards* must notify the Office of the Privacy Commissioner of Canada and affected individuals *as soon as feasible* whenever the breach creates a real risk of significant harm (RROSH) — think identity theft, financial loss, humiliation, or reputational damage. Records of all breaches must be kept, even those that don’t meet the threshold.

Quebec’s Law 25 frames the same duty around an *« incident de confidentialité »*: if it presents a risk of serious injury (*risque de préjudice sérieux*), you must notify the Commission d’accès à l’information and the individuals concerned, and log the incident in a mandatory register.

Assess breaches quickly against factors like data sensitivity and probability of misuse. Delays and non-reporting can attract significant penalties under both regimes.

Our own compliance

We run our own compliance programme inside Valdra — the product we sell. Our SOC 2, ISO 27001 and ISO 42001 programmes are actively in progress; we do not claim certifications we do not yet hold.

Valdra compliance badge — click to verify
  • PIPEDA
  • Law 25 (Quebec)
  • CASL
  • Data hosted in Canada 🇨🇦
  • AI governance
View our Trust Centre

Self-declared, not audited by a third party. Click the badge to verify it is genuine and see what it covers.

Privacy breach notification — definition | Canuckt AI