{"id":1339,"slug":"rule-treat-data-custody-as-line-item","title":"R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch","kind":"rule","scope":"business","status":"current","audiences":["kevin","smb-owner","candid-team"],"topics":["regulatory-compliance","editorial-discipline","client-portals","privacy-pipeda"],"reference_body":"**Rule:** Every portal recommendation must include data-custody as a **line item, not a footnote**. Before launch confirm:\n\n- **Consent language** that satisfies PIPEDA (meaningful consent).\n- **MFA** on every account.\n- **Encryption in transit and at rest**.\n- **Breach-response plan** including who notifies whom on what timeline.\n- **PIPEDA-compliant processor agreement** with any SaaS host.\n- **Budget for breach record-keeping** — 24-month retention ([[pipeda-breach-reporting-rrosh-24-month-records]]) is operational, not legal.\n\n**Why:** A login you control engages **PIPEDA** ([[pipeda-core-duties-consent-safeguarding-access]]). **Buying a portal does not transfer accountability** ([[control-accountability-third-party-processor]]). Penalties of **up to CAD $100,000 per violation** for knowingly failing to report / notify / keep records ([[pipeda-100k-per-violation-penalty]]). Quebec Law 25 / GDPR / CCPA tighten this further depending on the customer base ([[quebec-law-25-gdpr-ccpa-analog]]).\n\n**How to apply:**\n- Treat data custody as a workstream alongside design and integration in every portal scope.\n- Confirm vendor compliance posture against the SMB's customer geography before recommending — most US-only portals have weaker EU/Quebec posture.\n- Document who, on the SMB side, owns the breach record system.","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"rule-budget-for-pipeline-maintenance-from-day-one","title":"R5 — Budget for pipeline maintenance from day one; if the client can't commit to upkeep, rent the managed version instead of building one","kind":"rule","scope":"business","link_type":"relates-to"},{"slug":"pipeda-core-duties-consent-safeguarding-access","title":"PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"pipeda-breach-reporting-rrosh-24-month-records","title":"PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"pipeda-100k-per-violation-penalty","title":"PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"control-accountability-third-party-processor","title":"PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"quebec-law-25-gdpr-ccpa-analog","title":"Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA","kind":"reference","scope":"business","link_type":"depends-on"}],"incoming":[{"slug":"research-brief-client-portals-smb-june-2026","title":"Research brief: client portals for SMBs — the honest case (June 2026)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"article-client-portals-for-smbs-when-worth-it","title":"Article (draft): Most small businesses don't need a custom client portal — some don't need one at all","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-budget-20-30pct-annual-maintenance-from-day-one","title":"R4 — Budget 20-30% of build effort annually for maintenance from day one; assign a metric-definitions owner; audit quarterly and archive any dashboard unopened in 30+ days","kind":"rule","scope":"business","link_type":"relates-to"}]},"created_at":"2026-06-20T17:57:32.221Z","updated_at":"2026-06-20T17:57:32.221Z"}