In almost every other organization that voters and Canadians interact with that have to meet privacy laws, there are privacy risk assessments. An external auditor would come in and say, “Here are some deficiencies that we'd like you to address. Here are some others that we think are adequate.” A lead time is given for that organization to meet those requirements. This is how the banks, telephone companies, everyone deals with private data.
On June 7th, 2018. See this statement in context.