Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) is a structured evaluation of how a project handles personal information and the privacy risks it creates — now a legal requirement in Quebec for high-risk initiatives.
A PIA documents what personal information a system collects, how it flows, who can access it, and what could go wrong — then identifies controls to reduce those risks. Done early, it is far cheaper than fixing a privacy failure after launch.
Quebec’s Law 25 makes an ÉFVP mandatory for any project to *acquire, develop, or overhaul an information system or electronic service delivery* involving personal information, and before certain cross-border transfers. The assessment must be proportionate to the sensitivity, purpose, and volume of the data.
Even where not strictly required (most federal private-sector activity under PIPEDA), a PIA is a widely recommended best practice and a strong signal of accountability to regulators and customers.