# PIPEDA Breach Response Playbook

> The hour-by-hour Canadian-context runbook for the first 72 hours of a personal-information breach. Notification thresholds, OPC reporting template, individual-notice template, post-incident review checklist.

**Published:** 2026-05-16
**Categories:** compliance, incident-response

*This resource is gated behind an email opt-in on the HTML page. The PDF (RedactLabs-PIPEDA-Breach-Response-Playbook.pdf) is delivered via a Resend email with a 72-hour HMAC-signed download link.*

---

## What's inside

- **Hour-by-hour timeline for the first 72 hours.** Triage, containment, evidence preservation, decision-tree for "is this a 'real risk of significant harm' breach under PIPEDA?"
- **OPC notification template.** Pre-filled with every field the Privacy Commissioner's reporting form expects. Fill the blanks, send.
- **Individual-notice template.** Tone-calibrated for the customer/donor — clear, accurate, no legalese, no over-promising.
- **Internal escalation tree.** Who calls whom in the first 60 minutes; who has spend authority; who's on after-hours.
- **Post-incident review checklist.** The seven questions that turn a breach into a lesson rather than a repeat.

## Who it's for

Any Canadian organization holding personal information — SMBs, charities, professional services firms. PIPEDA's "real risk of significant harm" threshold reaches lower than most assume.

## Pairs with

- The [PIPEDA / Quebec Law 25 / PHIPA primer](/blog/canadian-privacy-laws-nonprofits/) — context for which regime applies to which data.
- The [Charity Cybersecurity Posture Checklist](/resources/charity-cybersecurity-posture-checklist/) — preventive work that reduces the probability you'll need this playbook.