In an active breach right now?
Each guide below is a scannable checklist for use during an incident. Use ClearBreach to run your formal assessment and generate required documents.
Get early access now →Resource library
Breach response & compliance guides
Immediate breach response checklists and proactive compliance guides for Canadian private-sector organizations under PIPEDA, Alberta PIPA, and BC PIPA.
Want the full background on a scenario? Read the educational playbooks →
Alberta PIPA Reform: What the 12 Recommendations Mean for Your Business
Alberta's Standing Committee recommended 12 PIPA amendments — new enforcement powers, a defined harm threshold, and mandatory vendor contracts.
Open guide →
BC PIPA Reform: What BC's 2026 Privacy Bill Signals for Private-Sector Businesses
BC is reforming its public-sector privacy law first. Here's what Bill 9 signals for BC PIPA private-sector reform and what businesses should do now.
Open guide →
Cross-Border Privacy Impact Assessments Under Bill C-36 (PPCDA): Which Vendors Trigger the Requirement
PPCDA requires a Privacy Impact Assessment before transferring personal data outside Canada — any organization using US cloud vendors will trigger it.
Open guide →
Legitimate Interest Under Bill C-36 (PPCDA): New to Canadian Privacy Law
Bill C-36's PPCDA introduces legitimate interest — a new basis to use personal information without consent that does not exist under PIPEDA.
Open guide →
Bill C-36 (PPCDA): Canada's New Privacy Law Lets Customers Sue You Directly
PPCDA lets individuals sue for privacy violations after a confirmed OPC finding — direct liability that does not exist under PIPEDA.
Open guide →
What Is a Privacy Management Program Under Bill C-36 (PPCDA)?
Bill C-36's PPCDA makes a documented privacy management program mandatory — organizations without one will be in breach of the new law.
Open guide →
What Is Bill C-36? Canada's New Privacy Law for Small Businesses
Bill C-36 replaces PIPEDA with the PPCDA — breach reporting is unchanged, but privacy management programs and legitimate interest are new.
Open guide →
Cloud Storage Misconfiguration — Quick Reference Guide
Immediate steps when an S3 bucket, Azure blob, or cloud container is accidentally left publicly accessible — PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
How to Conduct a Privacy Impact Assessment in Canada
Step-by-step guide to completing a privacy impact assessment for Canadian organizations under PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
How to Write a Privacy Policy for a Canadian Business
Your privacy policy must describe your actual practices — a mismatched template may itself be a PIPEDA violation. Ten required elements.
Open guide →
Personal Information Retention and Destruction Under Canadian Privacy Law
How long Canadian organizations must keep personal information, when they must destroy it, and what secure destruction means under PIPEDA and PIPA.
Open guide →
Physical Records Breach — Quick Reference Guide
Immediate steps when paper records are lost, stolen, or improperly destroyed — reporting obligations under PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
Privacy Law for Accounting Firms in Canada
PIPEDA and provincial PIPA for Canadian accounting firms and CPAs — client data, breach reporting, and compliance for practices of any size.
Open guide →
Privacy Law for Dental and Medical Practices in Canada
Privacy obligations for Canadian dental and medical practices — which laws apply alongside PIPEDA, patient record requirements, and breach reporting.
Open guide →
Privacy Law for Financial Advisors in Canada
PIPEDA and provincial PIPA for Canadian financial advisors — KYC data, breach reporting for financial records, and securities compliance.
Open guide →
Privacy Law for HR and Recruitment Firms in Canada
PIPEDA and provincial PIPA for Canadian HR firms — candidate data, background check consent, breach reporting, and third-party employer obligations.
Open guide →
Privacy Law for Insurance Brokers in Canada
PIPEDA and provincial PIPA for Canadian insurance brokers — applicant and claims data, breach reporting for health and financial records.
Open guide →
Privacy Law for Law Firms in Canada
PIPEDA and provincial PIPA for Canadian law firms — client file privacy, solicitor-client privilege in access requests, and breach reporting.
Open guide →
Privacy Law for Mortgage Brokers in Canada
PIPEDA and provincial PIPA for Canadian mortgage brokers — borrower data held, FINTRAC obligations, breach reporting, and Alberta and BC compliance.
Open guide →
Privacy Law for Pharmacies in Canada
PIPEDA and provincial PIPA for Canadian pharmacies — prescription records, Alberta's Health Information Act, and breach reporting for health data.
Open guide →
Privacy Law for Private Schools in Canada
PIPEDA and provincial PIPA for Canadian private schools — student and family data, heightened protections for minors, and breach reporting.
Open guide →
Privacy Law for Real Estate Agents in Canada
PIPEDA and provincial PIPA for Canadian real estate agents and brokerages — client data, FINTRAC identity verification, and breach reporting.
Open guide →
Responding to Individual Access Requests Under Canadian Privacy Law
How Canadian organizations must respond to access requests under PIPEDA and PIPA — timelines, grounds for refusal, and common mistakes.
Open guide →
Website or Database Compromise — Quick Reference Guide
Immediate steps when a website is hacked, a database is extracted, or a web shell is discovered — PIPEDA, Alberta PIPA, and BC PIPA obligations.
Open guide →
Unauthorized Employee Access — Quick Reference Guide
Immediate steps when a current or former employee accesses personal information beyond their authorization — PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
Vendor or Third-Party Breach — Quick Reference Guide
Immediate steps when an IT provider, SaaS platform, or payroll processor is breached — PIPEDA, Alberta PIPA, and BC PIPA obligations.
Open guide →
Accidental Email Disclosure — Quick Reference Guide
Immediate steps for Canadian organizations responding to a wrong-recipient email disclosure under PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
Do I Need a Designated Privacy Officer? What Canadian Privacy Law Requires
PIPEDA, Alberta PIPA, and BC PIPA all require a designated privacy officer — here is what the obligation means for small organizations.
Open guide →
PIPEDA Compliance Checklist for Canadian Organizations
Ten-principle checklist for assessing your PIPEDA compliance — each obligation stated as a concrete yes/no question with actionable next steps.
Open guide →
Do I Need a Written Privacy Policy? What Canadian Privacy Law Requires
PIPEDA, Alberta PIPA, and BC PIPA all require a written privacy policy — here is what it must contain and where to post it.
Open guide →
Which Canadian Privacy Law Applies to Your Business?
PIPEDA applies to most Canadian businesses. In Alberta and BC, provincial PIPA may apply instead — and a different regulator governs.
Open guide →
Which Privacy Law Applies to My Alberta Business?
Alberta businesses are subject to Alberta PIPA for provincial activity and PIPEDA for cross-border — both frameworks apply to the same organization.
Open guide →
Which Privacy Law Applies to My BC Business?
BC businesses and non-profits are subject to BC PIPA for provincial activity and PIPEDA for cross-border — both frameworks apply.
Open guide →
Which Privacy Law Applies to My Ontario Business?
Ontario has no provincial privacy law equivalent to Alberta or BC PIPA — PIPEDA governs all commercial activity in Ontario.
Open guide →
Canadian Privacy Compliance Resources Are Written for Experts. Here's What That Means for Your Organization.
PIPEDA compliance guidance is authoritative and free — but applying it correctly requires legal interpretation most Canadian businesses don't have.
Open guide →
Alberta PIPA Compliance Requirements: What Alberta Businesses Must Do
What Alberta private-sector organizations must have in place under PIPA — and what the OIPC expects to find during an investigation.
Open guide →
BC PIPA Compliance Requirements: What BC Businesses and Non-Profits Must Do
BC PIPA is the only Canadian private-sector privacy law that covers non-profits — what every BC business, charity, and association must have in place.
Open guide →
PIPEDA Compliance Requirements for Ontario Organizations
How Ontario private-sector organizations meet their PIPEDA compliance obligations — one regulator, one framework, and what the OPC expects to find.
Open guide →
PIPEDA Compliance Requirements for Canadian Organizations
The ten ongoing compliance obligations every private-sector organization must meet under PIPEDA — regardless of size, industry, or province.
Open guide →
What to Do When You Receive a PIPEDA Privacy Complaint
How Canadian organizations must respond to a direct privacy complaint or OPC investigation under PIPEDA and Alberta PIPA.
Open guide →
Do You Need a Privacy Impact Assessment? A Guide for Canadian Organizations
When a privacy impact assessment is required versus recommended under PIPEDA, and how Canadian organizations conduct one.
Open guide →
Sample Privacy Complaint Handling Procedure
A free sample privacy complaint handling procedure under PIPEDA, Alberta PIPA, and BC PIPA — ready to adapt for your organization.
Open guide →
What ClearBreach Generates
ClearBreach generates up to seven breach documents from one assessment — verdict card, OPC report, provincial submissions, and notification letter.
Open guide →
Phishing and Email Compromise — Quick Reference Guide
Immediate steps for phishing and email compromise — containment, audit log review, and reporting under PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
Ontario Data Breach Reporting Requirements
Ontario has no provincial privacy law — PIPEDA governs all Ontario private-sector breach reporting. When to report, who to notify, what to keep.
Open guide →
Lost or Stolen Device — Quick Reference Guide
Immediate steps for Canadian organizations responding to a lost or stolen device under PIPEDA, Alberta PIPA, and BC PIPA.
Open guide →
Alberta PIPA Breach Notification: What Alberta Organizations Must Do
Unlike BC PIPA, Alberta PIPA makes both regulator reporting and individual notification mandatory when real risk of significant harm exists.
Open guide →
BC PIPA Breach Reporting: What BC Businesses Must Do
BC PIPA requires you to notify affected individuals when a breach creates real risk of significant harm — OIPC BC reporting is voluntary.
Open guide →
Data Breach Response Checklist — Canada
A Canadian data breach creates four simultaneous obligations under PIPEDA and PIPA — containment, assessment, regulator reporting, notification.
Open guide →
PIPEDA Breach Reporting Requirements for Canadian Organizations
PIPEDA requires OPC reporting, individual notification, and a 24-month breach record when real risk of significant harm is present.
Open guide →
What Is RROSH? The Breach Reporting Threshold
RROSH — Real Risk of Significant Harm — triggers mandatory breach reporting under PIPEDA, Alberta PIPA, and BC PIPA. How to apply the four factors.
Open guide →
Ransomware Attack — Quick Reference Guide
Immediate steps, checklists, and reporting deadlines for Canadian organizations responding to a ransomware attack under PIPEDA and Alberta PIPA.
Open guide →