Data Privacy and Cybersecurity

Data and innovation are key drivers for many clients in today’s rapidly changing business environment. At Deloitte Legal Canada, our specialized team of lawyers ensures you are able to stay compliant with emerging regulatory provisions, protecting you from both financial and reputational risk in the information age.

As part of a cross-functional team through an affiliation with Deloitte LLP, Deloitte Legal Canada’s Data Privacy and Cybersecurity group leverages expertise from Deloitte LLP’s leading cybersecurity consultants and respondents to deliver comprehensive technological risk assessment and mitigation based on leading industry practices.

Uniquely positioned as part of a “one-stop specialized shop”, we advise Canadian institutions on (i) cyber risk management (incident preparation); (ii) cyber risk mitigation (incident response); and (iii) privacy and data protection, while being able to propose practical solutions to help clients anticipate regulatory change and navigate the evolving cybersecurity and privacy landscape.

For any questions about the practice group and how we can help you, please reach out to Hélène Deschamps Marquis, National Leader of the Data Privacy and Cyber Security Law practice at +1 514-393-8300 or


Cyber Risk Management (Incident Preparation)

“By failing to prepare, you are preparing to fail.” – Benjamin Franklin
For cybersecurity matters, always staying one-step ahead is crucial to limit financial and reputational exposure. Our team helps you understand and manage cyber risk through a comprehensive approach, including:

  • Advising on upcoming changes to cybersecurity legislation across Canada
  • Assessing organizational compliance with privacy laws and recommending key improvement areas to protect critical assets
  • Developing cybersecurity guidelines and comprehensive incident response plans
  • Advising on cyber risk insurance – inclusions, exclusions, payouts – and acting as designated breach coach on policies
  • Reviewing and negotiating vendor agreements and data protection terms regarding data outsourcing contracts and advising on their inherent privacy and data security risks and providing mitigation strategies
  • Advising on risks of data collection and retention and conducting a data mapping exercises, as may be necessary, in order to determine what kind of data is collected, where it is stored, for how long, and who has access to it 
  • Scoping and overseeing red and purple team exercises meant to evaluate the reliability of IT environment, physical infrastructure, and personnel processes
  • Managing tabletop exercises or other incident simulations with key executives
  • Providing training for the board of directors with respect to their liability related to cybersecurity and good governance
  • Providing employee training in relation to data handling and cybersecurity 


Cyber Risk Mitigation (Incident Response)

“There is no such thing as perfect security only varying levels of insecurity.” – Salman Rushdie

It is not a matter of “if”, but of “when” a cyber incident happens. Deloitte Legal is the only team of attorneys in Canada who has a seamless working relationship and is associated with a team of cybersecurity consultants and respondents. Through this strategic partnership Deloitte Legal is ready when a cyber incident happens, at a moment’s notice, to assist you through one of the toughest incidents an organization can face with comprehensive incident response services, including:

  • As breach coach, coordinating actors during incidents, mobilizing additional resources, and advising all involved parties as to the legal risks while maintaining solicitor-client privilege during such communications
  • Analyzing the real risk of significant harm to affected individuals through risk models and by using cutting-edge tools Reporting a cybersecurity incident to the regulatory authorities and preparing notifications to affected individuals and other concerned parties
  • Assessing legal risk during the course of ransomware attacks
  • Managing internal and external communications to avoid potential legal and reputational risks by working with incident response communications experts
  • Leading post-mortem reviews, issuing recommendations, and assessing the sufficiency of remediation activities through a cyber improvement program

Fully integrating with Deloitte’s cyber incident response experts, we will put out the fire quickly and have you back up and running!


Privacy and Data Protection

“All human beings have three lives: public, private, and secret.” – Gabriel Garcia Marquez

Data is often associated with confidentiality requirements and certain types of data is subject to additional privacy related obligations. Our team works proactively with your IT experts – assisted by Deloitte’s consultants, as necessary – to ensure your organization remains a responsible custodian of personal information throughout its lifecycle by:

  • Assessing current compliance with, and advising on, evolving privacy legislation
  • Reviewing and drafting privacy policies, data retention policies, consent forms, and other such policies for compliant collection and use of personal information 
  • Advising on the implementation of such policies through data mapping activities and managing change within the organization through expert consultants
  • Advising on the risks of online behavioural advertising and other marketing activities involving mass data collection 
  • Conducting privacy due diligence for personal information packaged in commercial transactions 
  • Reviewing and negotiating vendor agreements involving international transfers of personal information
  • Developing a response framework for government and law enforcement requests 
  • Advising on privacy issues related to the development of new products or to the use of a given technology by your organization


Technology Law

“Code is law.” – Lawrence Lessig

In addition to Data Privacy and Cybersecurity, our lawyers are well versed in the realm of technology law, which begins with an intimate understanding of the underlying technologies, and extends to a pointed expertise in contract negotiation. We are able to assist on a variety of matters related to the legal aspects of your organization’s tech. Through years of tech and transactional experience, we can help your organization stay ahead by:

  • Assisting in M&A activities, such as the review of IT and IP contracts, providing legal opinions on related transitions, and drafting IT Transitional Services Agreements
  • Advising on complex commercial transactions involving the review of IT outsourcing services, Software as a Service (SaaS), cloud computing, and licensing agreements and providing a legal opinion on such agreements
  • Reviewing thousands of electronic records to deliver timely advice, in record time, by harnessing Deloitte’s unrivaled capabilities to process documents at scale
  • Crafting a high-level intellectual property strategy for your organization’s portfolio to protect, leverage, and monetize its IP assets – locally or globally
  • Advising on process redesign involving adaptation from analog processes, such as implementation of digital signatures, electronic contract management, customer relationship management tools (CRM), enterprise resource management (ERP) tools 
  • Integrating any advice we provide with Deloitte’s expert consultants in change management to ensure a seamless process redesign and implementation

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

hiding word for page type. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.