ClearBreach

In an active breach right now?

Each guide below is a scannable checklist for use during an incident. Use ClearBreach to run your formal assessment and generate required documents.

Get early access now →

Resource library

Breach response & compliance guides

Immediate breach response checklists and proactive compliance guides for Canadian private-sector organizations under PIPEDA, Alberta PIPA, and BC PIPA.

Want the full background on a scenario? Read the educational playbooks →

AB PIPA

Alberta PIPA Reform: What the 12 Recommendations Mean for Your Business

Alberta's Standing Committee recommended 12 PIPA amendments — new enforcement powers, a defined harm threshold, and mandatory vendor contracts.

Open guide →

BC PIPA

BC PIPA Reform: What BC's 2026 Privacy Bill Signals for Private-Sector Businesses

BC is reforming its public-sector privacy law first. Here's what Bill 9 signals for BC PIPA private-sector reform and what businesses should do now.

Open guide →

PPCDA

Cross-Border Privacy Impact Assessments Under Bill C-36 (PPCDA): Which Vendors Trigger the Requirement

PPCDA requires a Privacy Impact Assessment before transferring personal data outside Canada — any organization using US cloud vendors will trigger it.

Open guide →

PPCDA

Legitimate Interest Under Bill C-36 (PPCDA): New to Canadian Privacy Law

Bill C-36's PPCDA introduces legitimate interest — a new basis to use personal information without consent that does not exist under PIPEDA.

Open guide →

PPCDA

Bill C-36 (PPCDA): Canada's New Privacy Law Lets Customers Sue You Directly

PPCDA lets individuals sue for privacy violations after a confirmed OPC finding — direct liability that does not exist under PIPEDA.

Open guide →

PPCDA

What Is a Privacy Management Program Under Bill C-36 (PPCDA)?

Bill C-36's PPCDA makes a documented privacy management program mandatory — organizations without one will be in breach of the new law.

Open guide →

PPCDA

What Is Bill C-36? Canada's New Privacy Law for Small Businesses

Bill C-36 replaces PIPEDA with the PPCDA — breach reporting is unchanged, but privacy management programs and legitimate interest are new.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: RROSH present in most cases — sensitive data in a public bucket is accessible to automated scanners within hours; access logs are often unavailable

Cloud Storage Misconfiguration — Quick Reference Guide

Immediate steps when an S3 bucket, Azure blob, or cloud container is accidentally left publicly accessible — PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDAAB PIPABC PIPA

How to Conduct a Privacy Impact Assessment in Canada

Step-by-step guide to completing a privacy impact assessment for Canadian organizations under PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDAAB PIPABC PIPA

How to Write a Privacy Policy for a Canadian Business

Your privacy policy must describe your actual practices — a mismatched template may itself be a PIPEDA violation. Ten required elements.

Open guide →

PIPEDAAB PIPABC PIPA

Personal Information Retention and Destruction Under Canadian Privacy Law

How long Canadian organizations must keep personal information, when they must destroy it, and what secure destruction means under PIPEDA and PIPA.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: RROSH present when sensitive categories are involved — the same standard applies to paper records as to digital ones

Physical Records Breach — Quick Reference Guide

Immediate steps when paper records are lost, stolen, or improperly destroyed — reporting obligations under PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDAAB PIPABC PIPAAccounting

Privacy Law for Accounting Firms in Canada

PIPEDA and provincial PIPA for Canadian accounting firms and CPAs — client data, breach reporting, and compliance for practices of any size.

Open guide →

PIPEDAAB PIPABC PIPADental and Medical

Privacy Law for Dental and Medical Practices in Canada

Privacy obligations for Canadian dental and medical practices — which laws apply alongside PIPEDA, patient record requirements, and breach reporting.

Open guide →

PIPEDAAB PIPABC PIPAFinancial advisors

Privacy Law for Financial Advisors in Canada

PIPEDA and provincial PIPA for Canadian financial advisors — KYC data, breach reporting for financial records, and securities compliance.

Open guide →

PIPEDAAB PIPABC PIPAHR and recruitment

Privacy Law for HR and Recruitment Firms in Canada

PIPEDA and provincial PIPA for Canadian HR firms — candidate data, background check consent, breach reporting, and third-party employer obligations.

Open guide →

PIPEDAAB PIPABC PIPAInsurance brokers

Privacy Law for Insurance Brokers in Canada

PIPEDA and provincial PIPA for Canadian insurance brokers — applicant and claims data, breach reporting for health and financial records.

Open guide →

PIPEDAAB PIPABC PIPALaw firms

Privacy Law for Law Firms in Canada

PIPEDA and provincial PIPA for Canadian law firms — client file privacy, solicitor-client privilege in access requests, and breach reporting.

Open guide →

PIPEDAAB PIPABC PIPAMortgage brokers

Privacy Law for Mortgage Brokers in Canada

PIPEDA and provincial PIPA for Canadian mortgage brokers — borrower data held, FINTRAC obligations, breach reporting, and Alberta and BC compliance.

Open guide →

PIPEDAAB PIPABC PIPAPharmacies

Privacy Law for Pharmacies in Canada

PIPEDA and provincial PIPA for Canadian pharmacies — prescription records, Alberta's Health Information Act, and breach reporting for health data.

Open guide →

PIPEDAAB PIPABC PIPAPrivate schools

Privacy Law for Private Schools in Canada

PIPEDA and provincial PIPA for Canadian private schools — student and family data, heightened protections for minors, and breach reporting.

Open guide →

PIPEDAAB PIPABC PIPAReal estate

Privacy Law for Real Estate Agents in Canada

PIPEDA and provincial PIPA for Canadian real estate agents and brokerages — client data, FINTRAC identity verification, and breach reporting.

Open guide →

PIPEDAAB PIPABC PIPA

Responding to Individual Access Requests Under Canadian Privacy Law

How Canadian organizations must respond to access requests under PIPEDA and PIPA — timelines, grounds for refusal, and common mistakes.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: RROSH present in most cases — confirmed database access by a malicious actor with personal information in scope almost always meets the threshold

Website or Database Compromise — Quick Reference Guide

Immediate steps when a website is hacked, a database is extracted, or a web shell is discovered — PIPEDA, Alberta PIPA, and BC PIPA obligations.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: Case-by-case — depends on what was accessed, for how long, and whether exfiltration evidence exists

Unauthorized Employee Access — Quick Reference Guide

Immediate steps when a current or former employee accesses personal information beyond their authorization — PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: Case-by-case — depends on what data the vendor held and whether access was confirmed

Vendor or Third-Party Breach — Quick Reference Guide

Immediate steps when an IT provider, SaaS platform, or payroll processor is breached — PIPEDA, Alberta PIPA, and BC PIPA obligations.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: BELOW_RROSH in most single-recipient cases — assess before concluding

Accidental Email Disclosure — Quick Reference Guide

Immediate steps for Canadian organizations responding to a wrong-recipient email disclosure under PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDAAB PIPABC PIPA

Do I Need a Designated Privacy Officer? What Canadian Privacy Law Requires

PIPEDA, Alberta PIPA, and BC PIPA all require a designated privacy officer — here is what the obligation means for small organizations.

Open guide →

PIPEDA

PIPEDA Compliance Checklist for Canadian Organizations

Ten-principle checklist for assessing your PIPEDA compliance — each obligation stated as a concrete yes/no question with actionable next steps.

Open guide →

PIPEDAAB PIPABC PIPA

Do I Need a Written Privacy Policy? What Canadian Privacy Law Requires

PIPEDA, Alberta PIPA, and BC PIPA all require a written privacy policy — here is what it must contain and where to post it.

Open guide →

PIPEDAAB PIPABC PIPA

Which Canadian Privacy Law Applies to Your Business?

PIPEDA applies to most Canadian businesses. In Alberta and BC, provincial PIPA may apply instead — and a different regulator governs.

Open guide →

PIPEDAAB PIPA

Which Privacy Law Applies to My Alberta Business?

Alberta businesses are subject to Alberta PIPA for provincial activity and PIPEDA for cross-border — both frameworks apply to the same organization.

Open guide →

PIPEDABC PIPA

Which Privacy Law Applies to My BC Business?

BC businesses and non-profits are subject to BC PIPA for provincial activity and PIPEDA for cross-border — both frameworks apply.

Open guide →

PIPEDA

Which Privacy Law Applies to My Ontario Business?

Ontario has no provincial privacy law equivalent to Alberta or BC PIPA — PIPEDA governs all commercial activity in Ontario.

Open guide →

PIPEDAAB PIPABC PIPA

Canadian Privacy Compliance Resources Are Written for Experts. Here's What That Means for Your Organization.

PIPEDA compliance guidance is authoritative and free — but applying it correctly requires legal interpretation most Canadian businesses don't have.

Open guide →

AB PIPA

Alberta PIPA Compliance Requirements: What Alberta Businesses Must Do

What Alberta private-sector organizations must have in place under PIPA — and what the OIPC expects to find during an investigation.

Open guide →

BC PIPA

BC PIPA Compliance Requirements: What BC Businesses and Non-Profits Must Do

BC PIPA is the only Canadian private-sector privacy law that covers non-profits — what every BC business, charity, and association must have in place.

Open guide →

PIPEDA

PIPEDA Compliance Requirements for Ontario Organizations

How Ontario private-sector organizations meet their PIPEDA compliance obligations — one regulator, one framework, and what the OPC expects to find.

Open guide →

PIPEDA

PIPEDA Compliance Requirements for Canadian Organizations

The ten ongoing compliance obligations every private-sector organization must meet under PIPEDA — regardless of size, industry, or province.

Open guide →

PIPEDAAB PIPABC PIPA

What to Do When You Receive a PIPEDA Privacy Complaint

How Canadian organizations must respond to a direct privacy complaint or OPC investigation under PIPEDA and Alberta PIPA.

Open guide →

PIPEDAAB PIPABC PIPA

Do You Need a Privacy Impact Assessment? A Guide for Canadian Organizations

When a privacy impact assessment is required versus recommended under PIPEDA, and how Canadian organizations conduct one.

Open guide →

PIPEDAAB PIPABC PIPA

Sample Privacy Complaint Handling Procedure

A free sample privacy complaint handling procedure under PIPEDA, Alberta PIPA, and BC PIPA — ready to adapt for your organization.

Open guide →

PIPEDAAB PIPABC PIPA

What ClearBreach Generates

ClearBreach generates up to seven breach documents from one assessment — verdict card, OPC report, provincial submissions, and notification letter.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: RROSH

Phishing and Email Compromise — Quick Reference Guide

Immediate steps for phishing and email compromise — containment, audit log review, and reporting under PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

PIPEDA

Ontario Data Breach Reporting Requirements

Ontario has no provincial privacy law — PIPEDA governs all Ontario private-sector breach reporting. When to report, who to notify, what to keep.

Open guide →

PIPEDAAB PIPABC PIPATypical verdict: RROSH — unless confirmed encryption and verified no access

Lost or Stolen Device — Quick Reference Guide

Immediate steps for Canadian organizations responding to a lost or stolen device under PIPEDA, Alberta PIPA, and BC PIPA.

Open guide →

AB PIPA

Alberta PIPA Breach Notification: What Alberta Organizations Must Do

Unlike BC PIPA, Alberta PIPA makes both regulator reporting and individual notification mandatory when real risk of significant harm exists.

Open guide →

BC PIPA

BC PIPA Breach Reporting: What BC Businesses Must Do

BC PIPA requires you to notify affected individuals when a breach creates real risk of significant harm — OIPC BC reporting is voluntary.

Open guide →

PIPEDAAB PIPABC PIPA

Data Breach Response Checklist — Canada

A Canadian data breach creates four simultaneous obligations under PIPEDA and PIPA — containment, assessment, regulator reporting, notification.

Open guide →

PIPEDA

PIPEDA Breach Reporting Requirements for Canadian Organizations

PIPEDA requires OPC reporting, individual notification, and a 24-month breach record when real risk of significant harm is present.

Open guide →

PIPEDAAB PIPABC PIPA

What Is RROSH? The Breach Reporting Threshold

RROSH — Real Risk of Significant Harm — triggers mandatory breach reporting under PIPEDA, Alberta PIPA, and BC PIPA. How to apply the four factors.

Open guide →

PIPEDAAB PIPATypical verdict: RROSH

Ransomware Attack — Quick Reference Guide

Immediate steps, checklists, and reporting deadlines for Canadian organizations responding to a ransomware attack under PIPEDA and Alberta PIPA.

Open guide →