PIPEDA is the federal privacy law most BC businesses are supposed to follow. Most don't, because most don't know what it requires. Here's a checklist.
Does PIPEDA apply to you
If you collect, use, or disclose personal information in the course of commercial activity, yes. Almost every BC business does. Public sector is a different regime. Health professionals have additional rules. Charities have lighter touch.
The ten fair information principles
Accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Most businesses fail on safeguards, retention, and access.
Name a privacy officer
Someone has to be the named privacy officer. They don't have to be a privacy expert. They have to be reachable. For most SMBs, this is the owner or operations lead with a written delegation.
Document the data inventory
Catalog what personal info you collect, where it's stored, why you collected it, how long you keep it, and who you share it with. Most SMBs have this in five people's heads. Write it down.
Build a retention schedule
PIPEDA requires that you not keep personal info longer than necessary. Pick retention windows by category and write them down. Then actually delete things on schedule.
Set up access requests
Individuals can ask what personal info you have about them. You have thirty days to respond. Most businesses do not have a documented process for this. Build the template now.
Breach notification
If a breach poses real risk of significant harm, you must notify the OPC and affected individuals, and keep records of all breaches even if you don't report them. Build the response plan before you need it.
Annual review
Privacy law isn't set-and-forget. Annual review of the program, including any new vendors, new data flows, and any incidents. Documented as evidence.