Practical Guide
Canadian privacy readiness guide for practical privacy safeguards.
Use this guide to check whether privacy responsibilities, safeguards, breach workflow, and evidence are documented well enough for leadership, customer, insurer, or regulator questions.
Step 1
Who This Is For
Canadian SMBs that collect, use, disclose, or store personal information in commercial operations.
Teams preparing for a customer review, privacy question, insurance request, or internal governance cleanup.
Organizations that have policies but cannot easily show how privacy safeguards operate day to day.
Step 2
What To Check First
A named privacy owner with documented responsibilities and management support.
Personal information inventory that maps systems, purposes, access, vendors, retention, and sensitivity.
Consent, access, correction, and complaint workflows with intake owner and response tracking.
Security safeguards for personal information, including access control, extra login verification, encryption, logging, backups, disposal, and training.
Breach response workflow, real risk of significant harm assessment process, breach log, and notification decision records.
Vendor and processor oversight, including contracts, subprocessors, data location, safeguards, and incident notification commitments.
Step 3
Evidence To Collect
Privacy accountability record, policy owner, review date, and training evidence.
Data inventory or system map showing where personal information lives and who can access it.
Access request and correction workflow, response logs, or intake template.
Safeguards matrix tying data sensitivity to administrative, technical, and operational controls.
Breach log, harm assessment template, incident escalation path, and tabletop notes.
Vendor list, privacy clauses, data processing roles, and security review evidence.
Step 4
Common Gaps
Privacy ownership is informal or dependent on one person without documented backup.
Personal data inventory does not include software tools, shared drives, spreadsheets, or vendor portals.
Security controls exist but are not mapped to personal information sensitivity.
Breach response exists as an IT process but does not include privacy harm assessment or notification decision records.
Vendor contracts mention confidentiality but not incident timing, subprocessors, or safeguards evidence.
Step 5
Practical Checklist
Identify the personal information the organization collects, why it is collected, where it is stored, who can access it, and which vendors touch it.
Confirm the privacy owner, backup owner, escalation path, and review cadence for privacy-related documents and decisions.
Map safeguards to sensitivity: stronger controls for administrator access, customer records, employee records, financial data, and regulated workflows.
Prepare a breach workflow that includes incident intake, containment, privacy harm assessment, notification decision, breach log, and after-action review.
Review customer-facing answers so they accurately describe current safeguards rather than aspirational future-state controls.
Step 6
Official Baseline To Keep In Mind
The Office of the Privacy Commissioner of Canada describes mandatory breach reporting under Canadian privacy law for breaches of security safeguards that pose a real risk of significant harm.
OPC guidance also describes record-keeping expectations for breaches of security safeguards so compliance can be verified.
The Canadian Centre for Cyber Security baseline controls are useful context for practical safeguards, especially for SMBs that need lower-burden security improvements.
Use official OPC guidance and legal counsel for obligations, thresholds, and jurisdiction-specific questions.
Step 7
Decision Points
If privacy ownership is clear but evidence is scattered, start with an evidence inventory and safeguards matrix.
If ownership is unclear, start with accountability, escalation paths, and decision records before polishing policies.
If a customer review is active, prioritize externally shareable proof and careful gap language.
If breach readiness is untested, run a tabletop exercise before assuming the written process will work under pressure.
Step 8
When To Ask For Help
A customer, insurer, or leadership team asks for privacy safeguards evidence and owners are unclear.
The organization has not tested privacy breach escalation or harm assessment decision-making.
Vendor privacy risk, cross-border handling, or processor oversight is not documented well enough for review.
Related Template