PIA: How to Conduct a Privacy Impact Assessment Under Law 25

The PIA (Privacy Impact Assessment, called EFVP in French. évaluation des facteurs relatifs à la vie privée) is the documented analysis you must conduct before any project involving personal information. It's Quebec's equivalent of the GDPR's DPIA. Since September 22, 2023, this obligation has been in force for all organizations subject to Law 25.

For a financial services firm, the PIA is not a theoretical exercise reserved for large organizations. Every new technology vendor, every CRM change, every electronic signature or client communication tool can trigger the obligation to conduct one. And if the vendor is located outside Quebec. even in Ontario. the PIA is mandatory without exception.

When Is a PIA Mandatory

Law 25 provides two situations that trigger the PIA obligation.

Before any project to acquire, develop, or overhaul an information system involving personal information. "Information system" is interpreted broadly. This includes a CRM, client file management software, an email platform, a video conferencing tool, a cloud document storage service, an artificial intelligence tool. If the system touches personal information of your clients or employees, a PIA is required. Before any communication of personal information outside Quebec. This is the Quebec-specific requirement with no equivalent in the GDPR or any other North American legislation. The threshold is not "outside Canada" but "outside Quebec." Using a vendor whose servers are in Ontario, British Columbia, or the United States triggers the obligation. In practice, the majority of technology vendors used by Quebec financial firms host their data outside Quebec, making the PIA relevant for nearly every vendor relationship. What doesn't trigger a PIA: Renewing a contract with an existing vendor, without changes in personal information handling practices, should not require a new PIA. However, if the vendor changes its terms, moves its servers, or adds new features affecting data, updating the existing PIA is prudent.

What the PIA Must Contain

Law 25 doesn't prescribe a rigid format for the PIA. It requires the assessment to be "proportionate to the sensitivity of the information concerned, the purpose of its use, its quantity, its distribution, and its medium." In other words, a 5-person firm's PIA for a CRM change doesn't need to be a 50-page document. It must, however, cover the essential elements in a documented manner.

Here are the elements every PIA should contain at minimum.

Project or vendor description. What system is being implemented or acquired? Which vendor is involved? What is the project objective? Who in the organization will be involved? Inventory of personal information affected. What types of information will be collected, used, communicated, or stored? Names, contact details, SINs, financial data, health data? How many individuals are concerned? What is the planned retention period? Identification of privacy risks. What risks are associated with the project? Unauthorized access? Data loss? Use for unintended purposes? Transfer to a jurisdiction offering lesser protection? The more sensitive the information (and in the financial sector, it almost always is), the more thorough the risk analysis must be. Mitigation measures. For each identified risk, what measures are planned to reduce it? Data encryption, access controls, multi-factor authentication, contractual clauses with the vendor, staff training, retention and destruction policies. Conclusion and decision. After analysis, is the residual risk level acceptable? Can the project proceed as is, with conditions, or must it be modified? Who made the decision and when?

The Special Case of Transfers Outside Quebec

When the PIA concerns a transfer of personal information outside Quebec, the law requires a sixth mandatory component: assessment of the legal framework applicable in the destination jurisdiction.

This assessment must consider the sensitivity of the information, the purpose of its use, the protection measures it will benefit from in the destination jurisdiction, and the legal framework of that jurisdiction. The law provides that communication can only take place if the assessment concludes that the information will benefit from adequate protection.

In practice, for transfers to other Canadian provinces (Ontario, B.C., Alberta), the assessment is generally favorable. These provinces have personal information protection laws recognized as substantially similar to federal law. The exercise remains mandatory, but the conclusion will normally be positive. For transfers to the United States, the analysis is more nuanced. There is no U.S. federal data protection law equivalent to the GDPR or Law 25. Protection varies by state (California with the CCPA offers more guarantees than others) and by sector. Contractual clauses with the vendor (DPA, data processing agreement) become essential to compensate for legislative framework gaps. Vendor certifications (SOC 2 Type II, ISO 27001) strengthen the demonstration of adequate protection. For transfers to Europe, the situation is paradoxically simpler. The GDPR offers a robust and well-documented protection framework. The assessment will normally conclude that the legal framework is adequate.

A Simplified Template for Your Firm

Here is a six-section structure that a financial services firm can adapt for most of its PIAs. The goal is not to produce a 30-page legal document, but a structured, proportionate, and defensible file in case of a CAI investigation.

Section 1: Project Identification

• Name of the project or vendor being assessed
• Assessment date
• Assessment lead (normally the privacy officer)
• Project description in 2 to 5 sentences
• Business objective pursued

Section 2: Personal Information Inventory

• Types of information collected, used, or communicated (precise list)
• Estimated number of individuals concerned
• Information source (collected directly, transmitted by a third party, generated by the system)
• Planned retention period
• Storage location (Quebec, other province, other country)

Section 3: Risk Analysis

For each identified risk, document three elements: risk description, probability (low, medium, high), and potential impact (low, medium, high). Typical risks for a financial firm include unauthorized access to client data, data loss or theft, transfer to a jurisdiction without adequate protection, use of data for purposes not intended by the vendor, and excessive data retention after the relationship ends.

Section 4: Mitigation Measures

For each risk, describe the control measure in place or planned. For example: data encryption in transit and at rest, multi-factor authentication, role-based access controls, contractual clauses imposing confidentiality and security on the vendor (DPA), data destruction process at contract end, annual staff training.

Section 5: Destination Legal Framework Assessment (if transfer outside Quebec)

• Destination country or province
• Applicable data protection law in that jurisdiction
• Level of protection offered (adequate, partial, insufficient)
• Contractual guarantees in place (DPA, confidentiality clauses, audit rights)
• Vendor certifications (SOC 2, ISO 27001, ISO 27701)
• Conclusion: is protection adequate considering all measures?

Section 6: Decision

• Overall residual risk level (low, medium, high)
• Decision (approved, approved with conditions, refused)
• Conditions to be met, if applicable
• Name and signature of the decision-maker
• Date of next planned review

The complete document should fit in 3 to 6 pages for a standard project or vendor. Keep it in a centralized file accessible to the privacy officer and available to the CAI on request.

The Classic Mistake: Confusing One-Time PIA with Ongoing Obligation

Most firms that discover the PIA obligation think it's a one-time exercise. In reality, it's an ongoing obligation triggered with every new project or significant change.

New CRM: PIA before deployment. CRM changes its terms of use or moves its servers: PIA update. Adding an electronic signature tool: New PIA. Adopting an AI tool for drafting communications: New PIA, with particular attention to training data and vendor retention questions. Changing email providers: New PIA. Hiring a subcontractor who will access client data: PIA.

The right approach is to integrate the PIA into your technology acquisition process. Before signing a contract with a new vendor, ask yourself: "Will this vendor handle personal information of our clients or employees?" If the answer is yes, conduct the PIA before signing.

Questions to Ask Your Vendors

To inform Section 5 of your PIA (destination legal framework), here are ten essential questions to ask any technology vendor that will process your client data:

1. Where is data physically hosted (country, province, city)?

2. Can data be transferred or replicated to other jurisdictions?

3. Do you hold security certifications (SOC 2 Type II, ISO 27001, ISO 27701)?

4. Do you offer a DPA (Data Processing Agreement)?

5. How do you handle confidentiality incident notification?

6. What is your data retention and destruction policy?

7. What access controls are in place (encryption, multi-factor authentication, role-based access)?

8. Is our client data used to train AI models or for purposes beyond the contracted service?

9. Can we perform or request an audit of your security practices?

10. What happens to our client data if we terminate the contract?

A vendor that can't clearly answer these questions is a red flag. [Our article on evaluating technology vendors goes deeper into this topic](/blog/law-25-vendor-compliance-evaluation).

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[How to Evaluate Whether Your Tech Vendors Are Law 25 Compliant](/blog/law-25-vendor-compliance-evaluation)*
• *[Law 25 vs GDPR: What Quebec Borrowed from Europe](/blog/law-25-vs-gdpr-comparison)*