R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch
Rule: Every portal recommendation must include data-custody as a line item, not a footnote. Before launch confirm:
- Consent language that satisfies PIPEDA (meaningful consent).
- MFA on every account.
- Encryption in transit and at rest.
- Breach-response plan including who notifies whom on what timeline.
- PIPEDA-compliant processor agreement with any SaaS host.
- Budget for breach record-keeping — 24-month retention (PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months) is operational, not legal.
Why: A login you control engages PIPEDA (PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights). Buying a portal does not transfer accountability (PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this). Penalties of up to CAD $100,000 per violation for knowingly failing to report / notify / keep records (PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG). Quebec Law 25 / GDPR / CCPA tighten this further depending on the customer base (Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA).
How to apply:
- Treat data custody as a workstream alongside design and integration in every portal scope.
- Confirm vendor compliance posture against the SMB's customer geography before recommending — most US-only portals have weaker EU/Quebec posture.
- Document who, on the SMB side, owns the breach record system.
Depends on
- reference PIPEDA core duties: meaningful consent, safeguards appropriate to sensitivity, data minimization, accountability (designated privacy officer), access/correction rights
- reference PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months
- reference PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG
- reference PIPEDA control = accountability: the principal organisation controlling the data stays accountable even when a third-party processor holds it; contracts must address this
- reference Quebec Law 25, GDPR (EU/UK), CCPA/CPRA (US) — analog privacy regimes; Quebec Law 25 specifically imposes stronger GDPR-comparable obligations than PIPEDA
Referenced by (3)
- reference Research brief: client portals for SMBs — the honest case (June 2026) relates-to
- reference Article (draft): Most small businesses don't need a custom client portal — some don't need one at all relates-to
- rule R4 — Budget 20-30% of build effort annually for maintenance from day one; assign a metric-definitions owner; audit quarterly and archive any dashboard unopened in 30+ days relates-to