This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 11

A Step-by-Step Compliance Plan

A realistic roadmap for an SMB starting from scratch, or nearly so. Timeframes overlap β€” start with the highest-impact actions.

Phase 1 Β· 0–90 days

Foundations and critical risks

ActionOwnerPriority
Formally designate the Privacy Officer (delegate in writing if needed)ManagementCritical
Publish the Privacy Officer's contact info on the websiteMarketing / ITCritical
Set up the incident registerPrivacy Officer / ITCritical
Draft a minimal incident response planIT / CISOCritical
Map your data (starter inventory)ITHigh
Enable MFA and review critical accessITHigh
List suppliers that process personal dataPrivacy OfficerHigh
Phase 2 Β· 3–6 months

Policies and processes

ActionOwnerPriority
Draft the (internal) governance policyPrivacy OfficerHigh
Publish the privacy policy (on the website)Privacy Officer / MarketingHigh
Review forms and marketing consentMarketing / SalesHigh
Update supplier contracts (Law 25 clauses)Privacy Officer / LegalHigh
Carry out PIAs for priority out-of-province flowsPrivacy Officer / ITHigh
Define the retention/destruction schedulePrivacy Officer / ITMedium
Set up the rights-request response processPrivacy Officer / Customer serviceMedium
Phase 3 Β· 6–12 months

Maturity and continuous improvement

ActionOwnerPriority
Roll out staff awareness trainingPrivacy Officer / HRHigh
Test the incident response plan (tabletop exercise)CISOMedium
Strengthen encryption, logging, backupsIT / CISOMedium
Set up an annual review of policies and PIAsPrivacy OfficerMedium
Document compliance (auditable evidence)Privacy OfficerMedium
Assess adopting a framework (NIST CSF, ISO 27001)CISOOptional
Prioritization advice

Where to start if resources are limited?

If your resources are limited, tackle first what reduces real risk and the risk of sanctions:

  • A formally designated Privacy Officer
  • An operational incident register
  • MFA enabled on critical access
  • A privacy policy published on the website

These are the most visible gaps, the easiest to flag against you, and the ones that come up in the CAI's first inspections.

Compliance is a continuous process, not a one-time project. Document everything: in an investigation, proof of due diligence matters as much as perfect compliance.