A Plain-Language PIPEDA Compliance Checklist for Small Businesses
If your business collects customer names, emails, or payment details, Canada’s federal privacy law — the Personal Information Protection and Electronic Documents Act, or PIPEDA — almost certainly applies to you. The law can feel intimidating, but at its core it asks something reasonable: handle people’s personal information carefully and honestly. Here’s a plain-language checklist to get there.
This is a general overview, not legal advice. In British Columbia, Alberta, and Quebec, a substantially similar provincial law may apply instead — Quebec’s is notably stricter.
1. Put someone in charge of privacy
PIPEDA expects accountability. Name a specific person responsible for your organization’s privacy practices — even if that person is the owner. Privacy can’t be “everyone’s job,” which usually ends up meaning no one’s.
2. Know what you collect and why
Make a simple inventory: what personal information you collect, where it is stored, who can access it, and the reason you have it. You can’t protect — or justify — data you haven’t mapped.
3. Identify your purposes and get meaningful consent
Tell people why you’re collecting their information at or before the time you collect it, and get their consent. Consent has to be meaningful — buried clauses don’t count.
4. Collect only what you need
Don’t gather information “just in case.” Limit collection to what is genuinely needed for the purposes you identified.
5. Publish a clear privacy policy
Make your privacy practices openly available — usually a privacy policy on your website — written in language a normal person can understand. (Our own privacy policy is a starting example.)
6. Safeguard the information
PIPEDA requires safeguards appropriate to how sensitive the data is. In practice that means access controls, multi-factor authentication, encryption where appropriate, endpoint protection, and monitoring. This is where privacy compliance and cybersecurity meet — a privacy promise you can’t technically keep isn’t worth much.
7. Keep data accurate, and don’t keep it forever
Keep information accurate and up to date, and set retention limits. When you no longer need personal information, dispose of it securely.
8. Let people access their information
Individuals have the right to ask what personal information you hold about them and to request corrections. Have a process ready to respond.
9. Be ready for a breach
If a breach creates a real risk of significant harm, PIPEDA requires you to report it to the Privacy Commissioner and notify affected individuals — and to keep a record of every breach, regardless of severity. Our guide to PIPEDA breach reporting covers this in detail.
10. Handle complaints and questions
Have a simple, documented way for people to challenge your compliance or raise privacy concerns — and make sure someone actually responds.
Where most small businesses fall short
The gaps we see most often aren’t the paperwork — they’re items 6 and 9: the safeguards aren’t strong enough, and there’s no real breach plan. Both are fixable, and both are where a security partner adds the most value.
If you’d like help turning this checklist into a working program, get in touch — our compliance advisory service is built for exactly this.