Skip to main content
(226) 971-2731
Free Tool

PIPEDA Self-Assessment

Answer 15 questions about how your business handles personal information. We score your PIPEDA maturity across five categories and show where the biggest gaps are. No email required, results visible immediately.

0 of 15 answered
0%

Consent and Collection

PIPEDA requires meaningful consent before collecting personal information, with collection limited to what is necessary for stated purposes.

Do you obtain meaningful consent before collecting personal information, with clearly stated purposes?

Pre-ticked checkboxes and consent buried in long terms generally do not meet the meaningful-consent standard.

Have you documented the specific business purposes for which you collect personal information?

PIPEDA Principle 2 requires you to identify and document the purposes at or before the time of collection.

Do you limit collection to what is reasonably necessary for the stated purposes?

Collecting extra fields "just in case" or for unrelated future use is not compliant.

Use, Disclosure, and Retention

Personal information must be used and disclosed only for the purposes for which it was collected, and retained only as long as necessary.

Is personal information used and disclosed only for the purposes for which it was collected?

Using customer data for unrelated new purposes (e.g. selling to third parties) without fresh consent is a common violation.

Do you have a written retention schedule that defines how long personal information is kept?

"Storage is cheap so we keep everything forever" is not a defensible PIPEDA position.

Do you have a documented process to destroy or anonymize personal information at the retention horizon?

Deleting from a file share but keeping in indefinite backups is not effective disposal.

Safeguards

Reasonable safeguards must protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.

Do you enforce MFA, EDR endpoint protection, and tested backups across your business?

These three controls are the practical PIPEDA technical-safeguards baseline in 2026.

Do you have physical safeguards (locked offices, secured documents, access controls to file rooms)?
Do you have administrative safeguards (role-based access, training, signed acceptable use)?

Accountability

PIPEDA Principle 1 requires a designated person responsible for compliance, with documented policies and breach response.

Have you designated an individual responsible for PIPEDA compliance and made their contact information available?

This person can be an existing employee. The designation and accessible contact matter.

Do you have a written privacy policy that is reasonably accessible to individuals?

A privacy policy page on your website is the typical minimum. It must accurately reflect your practices.

Do you have a documented breach response process that can notify the OPC and affected individuals?

Since 2018, mandatory breach reporting is the law. The process should produce notifications within reasonable timeframes.

Individual Access and Correction

Individuals have the right to access their own personal information and request corrections.

Do you have a documented process to respond to individual access requests within 30 days?

PIPEDA gives you 30 days to respond, with limited grounds for extension. Many businesses have no process at all.

Do you have a process to correct inaccurate personal information on request?
Do you have a documented complaints process so individuals can challenge your compliance?

Answer all 15 questions to see your score, breakdown, and recommendations.

Want help acting on the result?

This tool gives you the picture. ClayGen helps you close the gaps. No pressure, no obligation, just a real conversation about your environment.

Book a Discovery Call