Before Your Next Enterprise Deal Closes, Someone Will Ask About Your PIA
Your product is live. Clients are using it. Revenue is coming in. At some point, someone, a client's procurement team, a privacy officer, a regulator, is going to ask you to demonstrate that you actually considered the privacy implications of how your product works before you shipped it. If the honest answer is "not formally, no," that's a gap worth closing sooner rather than later.
Privacy Impact Assessments (PIAs), or Data Protection Impact Assessments (DPIAs) as they're known in some jurisdictions, have been around for a while. For years, they were largely a public sector concern. In Canada, PIAs have been a policy requirement for federal public sector institutions since 2002, with Treasury Board of Canada Secretariat updating the associated policy instruments as recently as 2024. But things have shifted considerably for the private sector.
Quebec led the charge provincially. Since the most important provisions of Law 25 came into force in September 2023, private companies in Quebec are now required to conduct PIAs for a broad range of projects involving personal information, both at the implementation stage and before significant changes are made. If you're building or launching any information system that collects, uses, or shares personal information about Quebec residents, a PIA is not optional.
Looking south, the picture is becoming equally clear. Most US state privacy laws now require controllers to conduct data privacy impact assessments for high-risk processing activities, including the sale of personal data, targeted advertising, profiling, and sensitive data processing. California has gone further still, with businesses required to file attestations with the California Privacy Protection Agency starting in 2028 confirming, under penalty of perjury, that required assessments have been completed.
This is not a trend that's going away. The OPC, Canada's federal privacy commissioner, has publicly called for PIAs to be embedded into law rather than left as policy guidance. Whether or not that happens in the short term, the direction of travel is obvious.
Here's the part I want you to take away though: a PIA does not need to be a monstrous, months-long compliance project. That reputation puts a lot of teams off doing them at all, which is a much worse outcome than doing a lighter-touch version that's fit for your context.
A right-sized PIA should help you answer some fairly practical questions: What personal information does this product or feature touch? Why are you collecting it? Who can access it? Where does it go? What happens if something goes wrong? Those are not exotic questions. They're questions your CTO, your privacy officer, and your enterprise clients are probably already asking. A PIA just gives you a structured way to document the answers.
The proportionality point matters here. The PIA should be proportionate to the sensitivity of the data, the purpose of processing, and the amount of data involved. If you're processing basic contact information for a low-risk internal tool, your assessment will look very different from one covering a platform that profiles individuals or handles sensitive health data. Start where the risk is.
What I see in practice is that teams put off PIAs because they feel like a regulatory checkbox, something a lawyer drops on your desk before a procurement deal closes. When that's the first time you encounter one, it's almost always painful. The same document that could have been a two-week exercise during design becomes a multi-month scramble involving legal, engineering, and a lot of retroactive guessing.
The better approach is to build PIAs into your development process early, particularly before launching new features that change how personal data is collected or shared. That's not just a compliance recommendation; it's a risk management one.
If you're not sure where to start, or you want to make sure your assessment covers what your clients, regulators, or privacy officer actually need to see, I can help. Whether that's working through the methodology with your team, facilitating the assessment itself, or presenting the case for why this matters to your leadership, reach out through rossgsaunders.com.
Here's how my Privacy Impact Assessments (PIA and DPIA) work, including the process, what you get, and the typical timeline.