On September 22, 2023, when most of the provisions of the Act to modernize legislative provisions as regards the protection of personal information (“Law 25”) came into force, amending the Act respecting Access to documents held by public bodies and the Protection of personal information (“Access Act”) (available in French only) and the Act respecting the protection of personal information in the private sector (“Private Sector Act”), the Commission d’Accès à l’Information (“CAI”) published a highly anticipated supporting guideline for organizations to conduct a privacy impact assessment (“PIA”).
Organizations will now have new benchmarks to conduct their PIAs, while bearing in mind that this guide is purely indicative.
The CAI’s supporting guide provides a multi-step plan that mirrors the PIA process:
- Determine whether an assessment is required
- Prepare the assessment
- Analyze and assess privacy factors
- Report on the assessment
Finally, a key point should be emphasized: the CAI specifies that compliance cannot be achieved within a day, but is rather an ongoing commitment to individual privacy. Additionally, in order to ensure efficiency in compliance processes, the implementation of security measures will need to be monitored and reviewed according to the emerging risks and changes made over the course of the project.
