Canada Is About to Fine You For Ignoring Privacy, Are you Ready?

by: Sean Gange-Harris



March 26, 2026

It comes up in conversations regularly. Solid businesses, good margins, trusted MSP relationships. I ask where their customer data lives. The answer is “the cloud.” Which cloud? They’d have to check with their IT person. What privacy policies govern that data? Long pause.

It’s not carelessness. It’s what most mid-market leaders do: assume someone else has figured it out.

The Assumption That’s Going to Cost Someone a Lot of Money

The answer I hear most often when I ask about privacy compliance is some version of: “We’re covered. Our MSP handles security. Our IT team handles compliance. Our lawyer looks at the legal stuff.”

That answer is understandable. It is also wrong.

Your MSP is responsible for keeping your systems running and protecting your data from external threats. They are not responsible for your privacy compliance posture, your data governance policies, your consent management, or how your business uses the personal information it collects. That is a strategic and governance decision. And in most mid-market companies, nobody has actually assigned it to anyone.

Most privacy compliance failures at companies your size don’t happen because someone did something deliberately wrong. They happen because nobody mapped where the data flows, nobody reviewed the consent language on the website in the last three years, and nobody checked whether the CRM’s data retention settings comply with anything. The failure is structural, not intentional. That is not going to matter much when the fine lands.

The Law Has Changed. Most Companies Don’t Know It Yet.

Canadian businesses have been operating under PIPEDA, the Personal Information Protection and Electronic Documents Act, since 2001. For most of that time, enforcement was toothless. The Privacy Commissioner could investigate, write a report, and name the company. The company would respond with a statement and move on. Real penalties were not possible.

That’s changing, and it’s already started.

Quebec’s Law 25 is already in force. If your company does business with any customers in Quebec, even as a small portion of your revenue, this law applies to you right now. It introduced mandatory breach reporting, the right of individuals to request that their data be deleted, and serious penalties: fines of up to $25 million or 4% of worldwide turnover. This is not a proposal. It is law.

At the federal level, Parliament has been working toward replacing PIPEDA with a modern statute for several years. The most recent version, Bill C-27, died when Parliament was prorogued in early 2025. But the government has made clear that new federal privacy legislation is coming, with fines of up to the greater of $25 million or 5% of gross global revenue and a dedicated enforcement tribunal. Major Canadian law firms flagged this as one of the top legal priorities for 2026. The direction is not in doubt. Only the timing is.

And then there is the issue nobody is talking about loudly enough: AI.

If your company has deployed any AI tools in the last two years, and most have, your data exposure has grown. Microsoft Copilot processing your customer emails. An AI-powered feature in your CRM summarizing deal notes. A chat tool on your website that logs conversations. Workflow automation that touches employee records. AI tools process personal information in ways that were not contemplated when most mid-market privacy policies were written. The questions your privacy posture needs to answer are now more complicated than they were in 2022: Where does that data go after the AI processes it? Who at the vendor has access to it? What is it being used to train? How long is it retained?

Most companies cannot answer those questions. When the enforcement mechanism arrives, that will not be an acceptable defense.

This Does Not Have to Be a $100,000 Legal Project

A lot of business leaders hear “privacy compliance review” and picture a six-month engagement with outside counsel. That is one way to do it. It is not the only way, and it is not where you need to start.

Here is what a useful starting point actually looks like:

Do a data inventory, and make it a business conversation, not a technical one. Walk through every major touchpoint where your company collects personal information: your website, your CRM, your HR systems, your customer onboarding workflow. Write down what you collect, where it lives, who has access to it, and how long you keep it. Most mid-market companies have never done this exercise. It typically takes one to two days and is routinely alarming.
Review every AI and SaaS tool added in the last 24 months and look at the data processing agreements. The standard terms in most SaaS vendor contracts are written for the vendor’s benefit. They often include broad rights to use customer data for model training, vague retention terms, and limited liability for breaches. Someone needs to have read these before you sign.
Get your consent language reviewed. The copy on your website forms, email opt-ins, and customer onboarding flow was probably written several years ago. It almost certainly does not reflect what you are actually doing with that data today. That gap is a compliance problem.
Assign ownership. Privacy compliance is not a project with a completion date. It is an ongoing function. Someone in your organization needs to own it as a real accountability, not a side responsibility. For most mid-market companies, this person does not currently exist. That is the gap to close.

None of this requires hiring a full-time privacy officer. What it requires is a strategic review and a named owner. The companies that are going to get through the next few years of privacy enforcement without incident will be the ones that treated this as a business risk decision rather than an IT task.

The Window Is Still Open

The companies that are going to get hurt by Canadian privacy enforcement are not the ones that did something deliberately wrong. They are going to be the ones that assumed the problem belonged to someone else and never verified that assumption.

Your MSP is not that someone. Your IT team almost certainly isn’t either. The accountability for data governance sits with the business, which means it sits with you.

The good news is that the window to get ahead of this is still open. The new federal statute has not landed yet. Quebec’s Law 25 enforcement is still developing. Most mid-market companies that take action now can get to a defensible position without a crisis driving them there. But the window closes when the law does. And in 2026, that is not very far away.

← Prev. 93% of Canadian Businesses Say They Use AI. Only 2% Are Getting Results.

93% of Canadian Businesses Say They Use AI. Only 2% Are Getting Results.

Mar 17, 2026

93% of Canadian businesses say they’re using AI. Only 2% are seeing results. Most people don’t realize that not all AI is the same. Here’s what to ask before spending a dollar.

Your Growing Company Has a Technology Leadership Problem

Feb 17, 2026

There's a strange thing that happens when companies grow past about 50 employees. Technology stops...

Getting the Most Value from Your MSP

Feb 3, 2026

MSPs excel at operational execution. Monitoring systems, managing patches, handling tickets, maintaining infrastructure—this is where quality providers shine. They build expertise in specific technologies, develop efficient processes, and deliver consistent service. If your MSP is keeping systems running reliably and responding quickly when issues arise, you’ve got the foundation right.
The challenge comes when companies expect their MSP to also function as their strategic technology advisor. That’s where the model gets murky, not because MSPs lack smart people, but because the business model creates unavoidable conflicts.

SERVICES

All Services

Fractional CIO

Tech Delivery Review

Tech Alignment Assessment

ABOUT US

About Us

Blog

PODCASTS

Podcasts

CAREERS

Careers

CONNECT

Connect

Social Channels