In a recent presentation I made I highlighted some of the shifts in moving from being regulated to being a regulator. It's been an interesting learning curve for me and I've become more sensitive to some of the issues.
Specifically I'll talk about mandatory breach notification. When I was in the private sector, we worked very hard to come up with voluntary breach notification guidelines, and we worked with the privacy commissioners across the country to implement those as guidelines for organizations. I now see those embodied in the federal privacy legislation, Bill S-4. When the regulations are implemented, we will see that for federal private sector organizations. We see it in Alberta, and we've recommended it in B.C., and the B.C. government has accepted that.
What was once voluntary in the private sector is now becoming de facto standard of being mandatory. We also note that in Europe the general data protection authority has come out to indicate that mandatory breach notification is required. I'll also note that they've taken a few steps further than that, and it's going to be significant for Canada to continue to be substantially similar with the requirements of GDPR for the free flow of information as it relates in the private sector for organizations that operate multinationally.