Y'all read the updates to PIPEDA? Starting November 1st 2018 (yup this week) you have some reporting obligations if you have a 'security breach' of your privacy safeguards.
You probably think it doesn't apply to you. You are wrong. Big and small. A new acronym for you RROSH (Real Risk of Significant Harm). Who wants to be the first to fill out the form?
So... are all your laptops encrypted (with something better than BitLocker please), with UEFI secure boot? Is your data all encrypted at rest on your servers? Are all your personal fields hashed with salt? Don't be 'that company' that fesses up to keeping the SIN + Passport + home address + Credit Cart w/ CVC in a 'foo.csv' file in the root of an old web server that gets sold on ebay.
What's your egress firewall policy? In your cloud? In your site?