Managing a privacy incident: emergency procedure for SMBs
Friday at 4 p.m.: an employee sends the client list to the wrong recipient. That may be a privacy incident; not the time to improvise. Panic is expensive; a simple procedure, tested in advance, protects individuals and the organization.
What is an incident?
In general, it is unauthorized access, unauthorized use, unauthorized disclosure, or loss of personal information. Classic SMB examples:
- Sending a client list as an attachment to the wrong person.
- Ransomware on a server containing HR files.
- Compromised email account used for internal phishing.
- Lost USB key with unencrypted data.
A "small" incident still deserves a line in the register. Even without mandatory notification to the CAI, documenting shows your diligence if the situation evolves or a complaint arrives later.
What to do in the first hours?
- Contain: cut access, reset passwords, isolate the system. Act fast without erasing evidence useful to the investigation.
- Document: time, nature of the data, approximate number of individuals, presumed cause.
- Assess risk of serious injury: sensitivity of the information, likelihood of malicious use.
- Consult the privacy officer and, if needed, a lawyer: decision to notify the CAI and affected individuals (privacy officer role).
Notification to the CAI and individuals
When the incident presents a risk of serious injury, the law requires notification to the Commission d'accès à l'information (CAI) and, except in limited cases, the affected individuals. The notice must be clear: description, information involved, measures taken, recommendations to protect themselves.
Deadlines are short. Prepare a notice template in advance: drafting under pressure on a Friday evening is a guaranteed way to forget something.
Register and minimal internal procedure
Your incident register should include, for each event:
- Date of discovery and of the incident.
- Description and categories of information.
- Corrective measures and evidence (tickets, emails, IT reports).
- Decision and date of CAI / individual notification, if applicable.
For financial risk in case of negligence, see Law 25 fines and sanctions. Cross-check with the express checklist: the incident register question is often a revealing "no".
In brief
Contain, document, assess, notify if required: in that order. A one-page procedure posted for the team beats a 40-page manual nobody has read.
Useful references
- CAI, Privacy incidents: notification obligations and forms.
- Act P-39.1 (LégisQuébec): legal framework for the private sector.
- Fines and sanctions: why negligence can cost dearly.
This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Your web policy should explain how you inform individuals in case of an incident. Our free technical scan helps spot observable gaps on the public site. It complements, but does not replace, your compliance program.