On November 1, 2018, new mandatory notice requirements and new record-keeping requirements will come into force for organizations regulated by the federal Personal Information Protection and Electronic Documents Act. Under the new requirements, if an organization experiences a breach of security safeguards involving personal information under its control and if it is reasonable to believe that the breach poses a “real risk of significant harm”, that organization is required to (1) report the breach to the Office of the Privacy Commissioner of Canada, (2) notify the affected individuals; and (3) in certain circumstances, notify other organizations.