Data Privacy and Cybersecurity

Data and innovation are key drivers for many clients in today’s rapidly changing business environment. At Deloitte Legal Canada, our specialized team of lawyers ensures you are able to stay compliant with emerging regulatory provisions, protecting you from both financial and reputational risk in the age of information.

As part of a cross-functional team through an affiliation with Deloitte LLP, Deloitte Legal Canada’s Data Privacy and Cybersecurity group leverages expertise from Deloitte LLP’s leading cybersecurity consultants and respondents to deliver comprehensive technological risk assessment and mitigation based on leading industry practices.

Uniquely positioned as part of a “one-stop specialized shop”, we advise Canadian institutions on (i) incident preparation, (ii) incident response, and (iii) data privacy matters, while being able to propose practical solutions to help clients anticipate regulatory change and navigate the evolving cybersecurity and privacy landscape.

In addition, our lawyers are well versed in the realm of technology law and are able to advise you on complex transactions, both in commercial and in mergers and acquisitions (M&A) matters, involving information technology (IT) outsourcing services, SaaS, cloud computing and licensing agreements.


(i)  Incident preparation

“By failing to prepare, you are preparing to fail.” – Benjamin Franklin

For cybersecurity matters, always staying one-step ahead is crucial to limit financial and reputational exposure. Our team helps you understand and manage cyber risk through a comprehensive approach, including:

  • Advising on upcoming changes to cybersecurity legislation across Canada 
  • Assessing organizational compliance with privacy laws and recommending key improvement areas to protect critical assets
  • Developing cybersecurity guidelines and comprehensive incident response plans
  • Providing training for the board of directors with respect to their liability related to cybersecurity and good governance
  • Managing tabletop exercises and cyber incident simulations
  • Scoping and overseeing red and purple team exercises
  • Providing employee training in relation to data handling and cybersecurity
  • Advising on proactive stakeholder monitoring of employees, vendors, and contractors
  • Reviewing vendor agreements in relation with cybersecurity risks and incident management and providing risk mitigation strategies for such agreements


(ii) Incident response

“There is no such thing as perfect security only varying levels of insecurity.” – Salman Rushdie

It is not a matter of “if”, but of “when” a cyber incident happens. When it does, our team is ready, at a moment’s notice, to assist you through one of the toughest incidents an organization can face with comprehensive incident response services, including:

  • As breach coach, coordinating actors during incidents, mobilizing additional resources, and advising all involved parties as to the legal risks while maintain solicitor-client privilege during such communications
  • Through the use of cutting-edge tools, modelling and analyzing the risk of significant harm to affected individuals, and advising on applicable reporting and notification obligations to regulators and affected individuals alike
  • Assessing legal risk during the course of ransomware attacks
  • Managing internal and external communications to avoid potential legal and reputational risks by integrating with third party incident response communications experts
  • Leading post-mortem reviews, issuing recommendations, and assessing the sufficiency of remediation activities through a cyber improvement program
  • As may be required, providing assistance in litigation preparation activities

Fully integrating with Deloitte’s cyber incident response experts, we will put out the fire quickly and have you back up and running!


(iii) Data Privacy

“All human beings have three lives: public, private, and secret.” – Gabriel Garcia Marquez

Data is often associated with confidentiality requirements and certain types of data is subject to additional privacy related obligations. Our team works proactively with your IT experts – assisted by Deloitte’s consultants, as necessary – to ensure your organization remains a responsible custodian of personal information throughout its lifecycle by:

  • Assessing current compliance with, and advising on, evolving privacy legislation
  • Reviewing and drafting privacy policies, data retention policies, consent forms for compliant collection, use and storage of personal information policies
  • Advising on the implementation of such policies through data mapping activities and providing resources to manage change within the organization through expert consultants
  • Advising on the risks of online behavioural advertising and other marketing activities involving mass data collection
  • Conducting privacy due diligence for personal information packaged in commercial transactions
  • Reviewing and negotiating vendor agreements involving international transfers of personal information
  • Developing a framework to respond to government and law enforcement data requests
  • Advising on privacy issues related to the development of new products or to the use of a given technology by your organization

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

hiding word for page type. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.