Use this checklist with your team. This is not legal advice — it's a practical starting guide.
Governance and transparency
- [ ] Privacy policy published (French first for Quebec audience)
- [ ] Person responsible for personal information identified
- [ ] Privacy incident log (even a simple spreadsheet)
- [ ] Process to handle access / correction requests
Collection and consent
- [ ] Web forms: clear purpose + consent where required
- [ ] Data collected limited to what's needed
- [ ] Retention period documented per data type
Technical security
- [ ] MFA on email and admin accounts
- [ ] Tested backups (mail, critical files)
- [ ] Access revoked when employees leave
- [ ] Security updates on workstations
Vendors and subprocessors
- [ ] List of tools storing client/employee data
- [ ] Cloud vendor policies reviewed
- [ ] Data location (country/region) documented when possible
Next step
Want an outside review? Request a free assessment — we'll help prioritize actions for your situation.