RULE: Treat a deliberate data layer as a privacy-compliance accelerator, not a privacy risk. The scattered alternative is harder to comply with.
Created 2026-05-22
Rule: When discussing data infrastructure with Candid clients, position a deliberate structured data layer as a PIPEDA / Law 25 / future-Bill-C-15 compliance accelerator, not a compliance risk.
Why:
- Brinks Home OPC finding 2024 (OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks): customer data accessible to former occupants for 10 weeks because of inadequate safeguards on a portal. A scattered data estate is what enables this failure mode — there's no single inventory to audit, no single access-control surface to harden
- Quebec Law 25 (Quebec Law 25 (fully in force Sept 22, 2024): data portability + fines up to C$25M / 4% of worldwide turnover) requires data-portability requests in structured, machine-readable formats (CSV/JSON/XML — NOT PDFs). A scattered estate cannot produce these on demand. A Postgres warehouse can.
- PIPEDA Subject Access Requests (Canadian privacy 2026: PIPEDA still governs; Bill C-27 died on the Order Paper Jan 6, 2025 — no fines, only findings) require producing all data held about an individual. A structured layer with a canonical customer_id (RULE: Own a single customer_id primary key that joins across your vertical SaaS + QuickBooks + email + ads.) makes this a single query.
- Data retention requirements: you can't enforce a retention schedule on data you can't see. Structured = auditable.
How to apply:
- In data-infrastructure proposals to clients, the privacy-compliance benefit is a sales pitch item, not a footnote
- Build access controls + audit logging into the data layer from day 1 (Postgres row-level security, dbt + analytics-engineer review process)
- For clients serving Quebec residents: explicitly design for Law 25 portability (export procedure tested quarterly, format CSV/JSON, response time <30 days)
- For healthcare-adjacent clients in Ontario: PHIPA layer is separate and stricter — design with that constraint
Depends on
- reference OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks
- reference Canadian privacy 2026: PIPEDA still governs; Bill C-27 died on the Order Paper Jan 6, 2025 — no fines, only findings
- reference Quebec Law 25 (fully in force Sept 22, 2024): data portability + fines up to C$25M / 4% of worldwide turnover