PIPEDA Compliance Checklist 2026 | North Star
HomeInsightsCompliance

PIPEDA Compliance Checklist 2026: What Every Canadian SMB Needs to Document

PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada's federal private-sector privacy law. It applies to most commercial organisations that collect, use, or disclose personal information across provincial borders or in federally regulated industries. BC businesses operating primarily within BC are primarily subject to BC PIPA (see our separate PIPA checklist), but federal compliance still matters for interprovincial transactions, federal regulated sectors, and employee data. Here's what you need to have documented.

Overview

Does PIPEDA Apply to You?

PIPEDA applies if you:

  • Collect personal information in the course of commercial activity
  • Operate in a federally regulated industry (banking, telecom, air transport, interprovincial trucking)
  • Conduct interprovincial or international transactions involving personal information

BC businesses: BC's PIPA has been deemed "substantially similar" to PIPEDA. BC private-sector organisations generally satisfy their PIPEDA obligations through PIPA compliance, but PIPEDA still applies to federally regulated activities.

If you're unsure which law applies to your business, the Office of the Privacy Commissioner of Canada's website has a jurisdiction tool. For most BC SMBs: PIPA for provincial commercial activity, PIPEDA for any federal or interprovincial dimension.

Overview

The Ten Fair Information Principles, Simplified

PIPEDA is built around ten principles. Most businesses fail on three: safeguards, retention, and individual access. Here's a quick checklist for all ten:

PrincipleWhat it requiresYour status
AccountabilityNamed privacy officer☐ Done
Identifying purposesPurpose documented before collection☐ Done
ConsentMeaningful consent obtained and documented☐ Done
Limiting collectionCollect only what's needed☐ Done
Limiting use, disclosure, retentionUse only for stated purpose; don't keep longer than needed☐ Done
AccuracyKeep data current and accurate☐ Done
SafeguardsSecurity controls appropriate to sensitivity☐ Done
OpennessPrivacy policy published and accessible☐ Done
Individual accessProcess for access requests☐ Done
Challenging complianceContact for privacy complaints☐ Done
Overview

Step 1: Name a Privacy Officer

Designate a named individual responsible for PIPEDA compliance. They don't need to be a lawyer or a privacy specialist. They need to be reachable, to know they have the role, and to have access to the documentation. For most SMBs, this is the owner or operations manager with a written internal designation.

Overview

Step 2: Document Your Data Inventory

PIPEDA requires that you know what personal information you hold and why. Build a data inventory spreadsheet with:

  • What categories of personal data you collect (names, emails, addresses, payment info, health info)
  • Where each category is stored (CRM, email archive, cloud storage, paper files)
  • Why you collected it (stated purpose)
  • Who has access
  • Who you share it with (third-party processors, service providers)
  • How long you keep it

This document is your foundation. The OPC may ask to see it. You'll use it for breach response, access requests, and vendor assessments.

Overview

Step 3: Build a Retention Schedule and Actually Follow It

PIPEDA requires that personal information be kept only as long as necessary for the identified purpose. Common retention windows:

  • Client contact information: retained for duration of relationship + 7 years (CRA requirement for associated financial records)
  • Job applicant resumes: 6 months after hire decision (no ongoing purpose after that)
  • Vendor contact information: retained for contract period + reasonable follow-up period
  • Security camera footage: 30 days unless needed for an incident

Write the schedule down. Then actually delete data on schedule. "Delete" means actually removing it, not archiving it in a folder named "old data."

How it works

Step 4: Build an Access Request Process

Under PIPEDA, individuals can request access to their personal information within 30 days of the request. You need:

  • A documented process for receiving requests (email address? form?)
  • A procedure for locating all records associated with the individual
  • A template response
  • A log of requests received and responses sent

Most BC SMBs do not have this documented. Build it before you receive a request, the time pressure of a live request is not the time to build a process.

Overview

Step 5: Breach Notification Under PIPEDA

PIPEDA requires notification to the OPC and to affected individuals if a breach poses a "real risk of significant harm" (RROSH). Factors affecting RROSH: sensitivity of the data, number of affected individuals, probability that misuse will occur.

Required documentation:

  • Maintain a breach record log (mandatory, regardless of whether notification is required)
  • OPC notification: as soon as feasible after determining a notifiable breach has occurred
  • Individual notification: directly, in plain language

Template contacts:

  • OPC breach report: priv.gc.ca/en/report-a-concern
  • OPC general line: 1-800-282-1376
Overview

Step 6: Annual Privacy Review

PIPEDA compliance is not a one-time exercise. Schedule an annual review covering:

  • Data inventory: any new data categories added in the past year?
  • Vendor list: any new SaaS tools that process personal information?
  • Retention schedule: purge overdue records
  • Access request log: any requests received? Handled correctly?
  • Breach log: any incidents? Documented?
  • Privacy policy: still accurate?

The annual review takes two to three hours if the underlying documentation is maintained. It takes much longer if nothing has been kept current.

Talk to a Prince George-based IT team about IT controls for PIPEDA compliance, call 672-983-1174 or book a free assessment at northstarit.ca.

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights

Frequently asked questions

Does PIPEDA apply to businesses in British Columbia or Alberta?

While BC and Alberta have their own private sector privacy laws (PIPA), PIPEDA still applies to federally regulated industries and for-profit activities involving the cross-border transfer of personal information. North Star helps businesses navigate both provincial and federal requirements to ensure total compliance. We recommend regular audits to confirm that your technical safeguards meet the highest standard applicable to your specific operational region.

What are the penalties for non-compliance with PIPEDA?

Organizations failing to comply with PIPEDA face significant risks, including investigations by the Privacy Commissioner and potential fines. More importantly, data breaches resulting from non-compliance can lead to costly lawsuits and permanent loss of client trust. Our PIPEDA compliance checklist Canada focuses on proactive defence through encryption, multi-factor authentication, and robust access controls to prevent these liabilities before they occur.

How often should we update our PIPEDA compliance checklist?

We advise reviewing your privacy policies and technical controls at least annually or whenever you implement new software. With the evolving threat landscape in 2026, a quarterly review is often better for firms handling high volumes of personal data. North Star provides ongoing monitoring and security awareness training to ensure your staff and systems remain aligned with the latest Canadian privacy expectations.