Home/ Resources/ compliance

PIPEDA Breach Response Playbook

The hour-by-hour Canadian-context runbook for the first 72 hours of a personal-information breach. Notification thresholds, OPC reporting template, individual-notice template, post-incident review checklist.

What’s inside

Hour-by-hour timeline for the first 72 hours. Triage, containment, evidence preservation, decision-tree for “is this a ‘real risk of significant harm’ breach under PIPEDA?”
OPC notification template. Pre-filled with every field the Privacy Commissioner’s reporting form expects. Fill the blanks, send.
Individual-notice template. Tone-calibrated for the customer/donor — clear, accurate, no legalese, no over-promising.
Internal escalation tree. Who calls whom in the first 60 minutes; who has spend authority; who’s on after-hours.
Post-incident review checklist. The seven questions that turn a breach into a lesson rather than a repeat.

Who it’s for

Any Canadian organization holding personal information — SMBs, charities, professional services firms. PIPEDA’s “real risk of significant harm” threshold reaches lower than most assume.

Pairs with

The PIPEDA / Quebec Law 25 / PHIPA primer — context for which regime applies to which data.
The Charity Cybersecurity Posture Checklist — preventive work that reduces the probability you’ll need this playbook.