Checklist: Verify Your Privacy Law Compliance

This checklist covers the 9 essential obligations under Quebec's privacy law. Use it to assess where you stand and identify gaps to address.

For each point, ask yourself: "Could I demonstrate this to a CAI inspector tomorrow?" If the answer is no, it's a priority.

Step-by-step process

  1. 1

    Designation of the Person Responsible for the Protection of Personal Information (RPRP)

    Do you have a person responsible for privacy protection? Are their contact details published on your website? If you've delegated the role, do you have a written delegation document?

  2. 2

    Personal Information Inventory

    Do you know what personal information you hold? Where is it stored? Who has access? For what purposes do you use it? How long do you keep it?

  3. 3

    Privacy Policy

    Do you have an up-to-date privacy policy? Is it accessible on your website? Does it clearly describe your collection, use, and retention practices?

  4. 4

    Consent Management

    Do you obtain consent before collecting personal information? Is consent separate for each purpose? Do you offer a simple way to withdraw consent?

  5. 5

    Data Security

    Do you have security measures appropriate to the sensitivity of the data? Access controls, encryption, backups? Are your employees trained on privacy protection?

  6. 6

    Vendor Management

    Have you identified all suppliers who process personal information on your behalf? Do you have contracts with confidentiality clauses? Do you know where your data is hosted?

  7. 7

    PIA (Privacy Impact Assessments)

    Do you conduct PIAs before technology projects involving personal information? Before data transfers outside Quebec?

  8. 8

    Access, Correction, Deletion, and Portability Requests

    Do you have a process to respond to requests within 30 days? Can you locate all of a person's information in your systems?

  9. 9

    Incident Management

    Do you have a privacy incident register? A process to assess risks and report to the CAI if necessary? Do you know how to notify affected individuals?

Tips and warnings

How to use this checklist

  • Be honest in your assessment. A half-checked box isn't checked. Be realistic about your current situation.
  • Document the evidence. For each "yes," note where the evidence is (document, system, policy).
  • Prioritize the gaps. You can't fix everything at once. Focus on the highest risks first.
  • Involve the right people. The privacy officer can't verify everything alone. Involve IT, HR, operations.

Red flags

  • No designated privacy officer: You've been technically non-compliant since September 2022.
  • Sensitive data without encryption: Health, financial, or biometric information directly accessible.
  • No inventory: You don't know what data you have or where it is.
  • Vendors outside Quebec without PIA: Any data transfer outside Quebec requires an assessment.
  • Missing or outdated privacy policy: A basic document every business must have.

Next steps

Once your assessment is complete, create an action plan with deadlines. The most critical gaps should be fixed within 30 days. Others can be spread over whatever time is needed depending on complexity.

Frequently asked questions

How many boxes do I need to check to be compliant?

All of them. All 9 obligations apply to every business in Quebec, regardless of size. However, the extent of measures can vary based on company size and data sensitivity.

Where should I start if I'm starting from scratch?

Start with the privacy officer and inventory. You can't protect what you don't know about. Once you know what data you have and where it is, the other steps become clearer.

Does a small business have the same obligations?

Yes, the legal obligations are the same. But measures can be proportional: a 5-employee SME doesn't need the same level of documentation as a large corporation. What matters is having reasonable practices.

Is there an official compliance certification?

The CAI does not offer any certification or official "law-compliant" label. Compliance is an ongoing process you must maintain yourself. A lawyer can provide a legal opinion attesting to your compliance at a specific point in time.

What if I discover gaps?

That's normal — almost every business has gaps at first. Prioritize: fix the most serious risks first (unsecured sensitive data, no privacy officer), then work methodically through the rest.

How often should I verify my compliance?

At least once a year, or after any significant change: new system, new vendor, new processing activity. Compliance isn't a one-time project—it's an ongoing obligation.

Related tool

Conforme.ca is a tool that helps SMEs document their compliance with the law.

Learn more