Most organizations managing personal information will require a PIA at some point. Here are some common scenarios:

• You receive data protection related questions from customers, partners, stakeholders, or regulators

• You are expanding your business outside of Canada

• You transfer the personal information of Quebec residents outside of the province

• You transfer data between multiple healthcare providers in Ontario

• You provide services or solutions to the government sector

• You provide services or solutions to the healthcare sector

There are many PIA approaches and your methodology should be chosen based on the goals of your organization. However, as a rule of thumb PIAs should generally include the following:

• Executive Summary - a report designed for clear communications with regulators, partners, and stakeholders

• Gap Analysis - an in depth assessment of your data protection safeguards measured against a chosen legislation or standard

• Accountability and Governance - a review of the privacy policies, procedures, contractual terms, training, and reporting

• Technical Analysis - a review of the solution and its safeguards

• Data Flow - a visual map of data’s path through your organization from collection to destruction

• Risk Analysis - an in depth review of the data protection risks facing your organization rated on their likelihood and impact

• Remediation - a detailed roadmap to guide you through remediation of all identified risks

Yes! If your team members have the required experience and time you can complete PIAs internally.

However, most small and medium sized businesses don't have team members with PIA experience, CIPP/C certifications, or the time to conduct lengthy internal assessments.