OPC 2025-26 Business Survey: The Breach Preparedness Gap Canadian SMBs Need to Close

What happened

The Office of the Privacy Commissioner of Canada released its 2025-26 Survey of Canadian Businesses on Privacy-Related Issues in March 2026. The survey covers 800 businesses across 11 sectors and tracks compliance behaviour year over year against PIPEDA obligations. It is one of the OPC's primary tools for identifying where organizations fall short in practice.

What it means for Canadian organizations

The headline numbers are encouraging. Privacy awareness, privacy officer designation, documented staff policies, and employee training have all increased since the 2023 survey. More organizations say they are compliant, more say they are prepared, and more have taken formal steps toward privacy accountability.

The breach numbers cut against that narrative.

Reported breach incidents rose from 6% to 10% — a 67% increase year over year. Over the same period, the share of organizations maintaining breach records dropped from 94% to 81%.

That combination matters for PIPEDA compliance directly. Under PIPEDA s.10.3, organizations are required to maintain a record of every breach of security safeguards, regardless of whether the breach crosses the RROSH threshold and triggers mandatory OPC notification. The record-keeping obligation applies to all breaches. An organization that experienced three incidents and kept records of none is non-compliant — even if none of those incidents required reporting.

The size gap persists across every metric. Large organizations (100+ employees) outperform small organizations on privacy officer designation (85% vs. 62%), documented staff policies (87% vs. 64%), employee training (76% vs. 55%), and breach preparedness (77% vs. 57%). Small organizations represent the majority of Canadian businesses. The compliance floor is at the small business level, and it is not rising fast enough.

One finding relevant to any organization evaluating where to start: 65% of survey respondents identified step-by-step compliance guides as the most helpful resource, and 63% identified templates — both ahead of self-assessment tools (42%) and breach reporting guidance (34%). Organizations know what format works. The gap is access.

What to do now

Check your breach records. Under PIPEDA s.10.3, every breach of security safeguards must be recorded — including incidents that did not meet the RROSH threshold and were not reported to the OPC. If your organization experienced any security incident in the past 24 months with no corresponding record, that is an active compliance gap. Start the record now; the obligation is ongoing.

If you have no designated privacy officer or documented policy, those come first. The OPC survey shows 38% of small organizations have not designated a privacy officer and 36% have no documented staff privacy policy. Both are foundational PIPEDA Principle 1 obligations — not aspirational targets. A named accountable person and a one-page written policy are the minimum viable starting point before any other compliance work.

See PIPEDA breach notification requirements and PIPEDA compliance requirements for the full obligations.

Start your breach assessment →

---

Source: OPC 2025-26 Survey of Canadian Businesses on Privacy-Related Issues. Prepared by Phoenix Strategic Perspectives Inc. for the Office of the Privacy Commissioner of Canada. Final delivery: March 2026. Registration number: POR 059-25.