{"id":601,"slug":"rule-structured-data-is-privacy-compliance-accelerator","title":"RULE: Treat a deliberate data layer as a privacy-compliance accelerator, not a privacy risk. The scattered alternative is harder to comply with.","kind":"rule","scope":"business","status":"current","audiences":["kevin","claude-code","smb-owner","candid-team"],"topics":["agency-methodology","regulatory-compliance","data-infrastructure"],"reference_body":"**Rule:** When discussing data infrastructure with Candid clients, position a deliberate structured data layer as a **PIPEDA / Law 25 / future-Bill-C-15 compliance accelerator**, not a compliance risk.\n\n**Why:**\n- Brinks Home OPC finding 2024 ([[brinks-home-opc-finding-2024]]): customer data accessible to former occupants for 10 weeks because of inadequate safeguards on a portal. **A scattered data estate is what enables this failure mode** — there's no single inventory to audit, no single access-control surface to harden\n- Quebec Law 25 ([[quebec-law-25-sept-2024-data-portability-c25m-fines]]) requires data-portability requests in **structured, machine-readable formats (CSV/JSON/XML — NOT PDFs)**. A scattered estate cannot produce these on demand. A Postgres warehouse can.\n- PIPEDA Subject Access Requests ([[pipeda-bill-c-27-died-january-2025]]) require producing all data held about an individual. A structured layer with a canonical customer_id ([[rule-own-customer-id-as-primary-key]]) makes this a single query.\n- Data retention requirements: you can't enforce a retention schedule on data you can't see. Structured = auditable.\n\n**How to apply:**\n- In data-infrastructure proposals to clients, the privacy-compliance benefit is a sales pitch item, not a footnote\n- Build access controls + audit logging into the data layer from day 1 (Postgres row-level security, dbt + analytics-engineer review process)\n- For clients serving Quebec residents: explicitly design for Law 25 portability (export procedure tested quarterly, format CSV/JSON, response time <30 days)\n- For healthcare-adjacent clients in Ontario: PHIPA layer is separate and stricter — design with that constraint","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"brinks-home-opc-finding-2024","title":"OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"pipeda-bill-c-27-died-january-2025","title":"Canadian privacy 2026: PIPEDA still governs; Bill C-27 died on the Order Paper Jan 6, 2025 — no fines, only findings","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"quebec-law-25-sept-2024-data-portability-c25m-fines","title":"Quebec Law 25 (fully in force Sept 22, 2024): data portability + fines up to C$25M / 4% of worldwide turnover","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"rule-own-customer-id-as-primary-key","title":"RULE: Own a single customer_id primary key that joins across your vertical SaaS + QuickBooks + email + ads.","kind":"rule","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"research-brief-dataset-is-the-product","title":"Research brief: The Dataset is the Product — when a service business should own its data (piece 12 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T20:37:13.312Z","updated_at":"2026-05-22T20:37:13.312Z"}