PIA under Law 25: when and how
You are deploying a new CRM that centralizes customers and employees, or adding a chatbot that collects health information on the site? Before clicking "publish", ask: do we need a PIA (EFVP) (privacy impact assessment)? It is the tool to document risks before a sensitive project goes to production.
What is a PIA (EFVP)?
It is a structured process to describe a project, identify the personal information involved, analyze risks for individuals, propose mitigation measures, and decide whether residual risks are acceptable. The CAI publishes guides and expects a documented approach, not a simple checkbox.
In practice: a PIA is not another legal document to file away: it is proof that we thought about impacts before exposing people to a new processing activity.
When to conduct one
- New SaaS tool (CRM, HR, customer support) centralizing personal information.
- Website redesign with new forms, chat, analytics, or sharing with partners.
- Surveillance, geolocation, or biometrics: new or expanded.
- Profiling or automated decision with significant impact on the individual.
- Disclosure of sensitive information to third parties or outside Quebec.
- Large-scale collection or merging previously separate databases.
- High-risk web projects: invasive trackers, chatbots on health/financial data, etc.
When in doubt, consult official CAI criteria and your legal advisor. A PIA complements, but does not replace, technical controls on the public website.
Typical PIA steps
- Scoping: project description, stakeholders, data flows.
- Necessity and proportionality: minimize collection; keep only what is useful.
- Risk analysis: severity, likelihood, vulnerable individuals.
- Measures: security, contracts, policy, training.
- Validation: management / privacy officer approval, monitoring, and planned review.
Documenting the PIA for verification
Keep a dated version of the document (PDF or secure repository): project description, risk analysis, measures adopted, privacy officer or management decision, and review schedule. In case of a complaint or investigation, the CAI expects a structured approach, not just a vague internal note.
Key point: date it, name an owner, and plan a review. A frozen 2022 PIA that no longer reflects the current site protects no one.
Link to the website and visible compliance
A PIA often leads to concrete changes: new cookie banner, update to the privacy policy or web privacy policy, hardened TLS or headers. After deployment, verify the site reflects documented decisions. Otherwise, you create a gap that is easy to exploit in a complaint.
In brief
- A PIA documents risks before launching sensitive or large-scale processing.
- CRM, web redesign, profiling, sensitive data, or transfers outside Quebec: frequent SMB triggers.
- Five steps: scoping, proportionality, risks, measures, validation.
- Keep a dated version; link decisions to the public site and vendor contracts.
Useful references
- CAI, PIA (EFVP) tools and guides: templates and criteria to structure your assessment.
- Act P-39.1 (private sector): obligations related to privacy impact assessments.
- Privacy officer: role in validating and monitoring PIAs.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
After a PIA, the public site must reflect your decisions (cookies, policy, forms). Our free technical scan helps confirm deployment matches documentation. It complements, but does not replace, your compliance program.