Express checklist: am I minimally compliant?
Before paying for a full audit, ask yourself fifteen yes/no questions: five minutes, a coffee, and you know if you are behind, progressing, or already solid. Check mentally; invite your privacy officer and an advisor if needed.
Minimally compliant does not mean "perfect": it means having the basics in place to respond to clients, document incidents, and show diligence if the CAI asks questions.
The 15 questions
In practice, each "no" is an action lever, not a shame marker.
- Is a privacy officer designated and are their contact details published? (details)
- Do you have an up-to-date privacy policy on the website?
- Do you have an internal policy for employees?
- Do you keep an inventory or register of processing activities (who, what, why)?
- Do you have a privacy incident register?
- Do you know how to respond in case of a data breach? (procedure)
- Do customer requests (access, rectification) have a process? (rights)
- Does the cookie banner reflect what the site actually does? (cookies)
- Do forms (newsletter, contact) respect consent rules? (consent)
- Do key vendor contracts (host, CRM) govern data properly? (clauses)
- Is a PIA done for high-risk projects? (PIA)
- Have employees received basic training? (training)
- Are retention periods defined? (data lifecycle)
- Can you respond to a portability request (export)? (portability)
- Have you run a recent technical scan of the public website? (run a scan)
Interpret your result
- 0 to 5 yes: Behind: Prioritize privacy officer, web policy, incident register, and emergency procedure. Do not postpone: a misaddressed email can become an incident.
- 6 to 11 yes: Progressing: Fill the gaps (vendors, training, consent) with the 7-step plan.
- 12 to 15 yes: Advanced: Maintain: annual review, scans after each redesign, PIA on new projects.
Phase calendar reminder: steps 2022, 2023, and 2024 (all in force today).
In brief
This checklist does not replace a full program, but it keeps you from navigating blind. Count your yes answers, tackle the no answers in order of risk, then consolidate with the action plan and a site scan.
Useful references
- CAI, Personal privacy protection: guides and obligations for organizations.
- 7-step action plan: SMB roadmap after the diagnosis.
- SMBs and nonprofits: who is covered: if you wonder whether the law really applies to you.
This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several items on this list are visible on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.