CapGRC
Back to resources
Law 25Article

PIA Guide: How to Complete Your First Privacy Impact Assessment

Step-by-step methodology to conduct a Privacy Impact Assessment (PIA) compliant with Quebec Law 25 — including a downloadable template.

7 min readOctober 2024

A Privacy Impact Assessment (PIA) is the central tool of Law 25 for protecting privacy by design. Mandatory since September 2023, it applies to any new project or significant change involving personal information.

When should you conduct a PIA?

1

New project or system involving personal information

2

Significant modification of an existing system

3

New contract with a third party processing personal data

4

Communication of data outside Quebec

5

Implementation of a surveillance or location system

6

Use of artificial intelligence on personal data

7

Change in the purpose of use of collected data

PIA Structure

Section 1: Project Description

  • What is the objective of the project or system?
  • What personal data is collected? (exhaustive list)
  • Who collects the data and in what context?
  • Which systems process or store this data?
  • Is there any data sharing with third parties?

Section 2: Privacy Risk Analysis

  • What are the risks of unauthorized access to data?
  • What are the risks of use for unintended purposes?
  • What are the risks related to excessive retention?
  • What risks exist for vulnerable individuals (children, etc.)?
  • What is the potential impact on the individuals concerned?

Section 3: Protection Measures

  • What access controls are in place?
  • How is data encrypted (at rest and in transit)?
  • What is the retention and destruction policy?
  • How will privacy incidents be detected?
  • How are individuals' rights exercised?

Section 4: Conclusion and Approval

  • Are the residual risks acceptable?
  • Are additional measures required before launch?
  • Has the privacy officer approved the PIA?
  • Is a review scheduled (and on what date)?

Ready-to-use PIA template

Download our Word template structured according to the 4 sections described above, compliant with the CAI recommendations.

Download the PIA template (DOCX)

Manage your PIAs directly in CapGRC

Guided forms, PIA registry, project linkage and automatic archiving — Law 25 compliance made simple.

See the Project Security moduleRequest a demo