Quebec Law 25 PIA Playbook
Privacy Impact Assessments, ADM disclosures, cross-border transfer assessments — produced against the clause and the regulator guidance.
How the playbook runs.
Each phase is operated jointly by our compliance agents and our specialists. Agents carry the mechanical steps; specialists own the judgement calls and the sign-off at the boundary between phases.
- 01Processing inventory
- 02Necessity and proportionality
- 03Safeguards and disclosures
- 04Residual-risk sign-off
What you hold at the end.
Signed, dated, tamper-evident, portable. The artifact set reads in PDF, Excel and JSON — and without a platform login. Your practitioners keep working even if we walk away.
The regimes this playbook answers.
One playbook, mapped clause-by-clause to every framework in scope. Open any framework below for the primary-source detail and the controls we land against it.
The agents that touch this playbook.
Each agent is bounded, instrumented and auditable. Actions are logged. Thresholds are reviewed. A specialist holds the pen at every decision point that carries supervisory weight.
- PIA AgentDrafts the Privacy Impact Assessment against the clause and the regulator guidance — necessity, proportionality, safeguards, residual risk.
- DPIA AgentHandles GDPR Article 35 and EU AI Act Article 26 fundamental-rights assessments where the processing triggers a DPIA.
- ADM Disclosure AgentProduces the automated-decision disclosure text each privacy regulator will recognise — Law 25, PIPEDA, GDPR Article 22.
- Cross-Border Transfer AgentAssembles the SCCs, TIAs and transfer-impact files when training, inference or RAG cross a jurisdictional boundary.
Start this playbook on your portfolio.
Tell us which estate it runs against and which supervisory conversation it needs to answer. We will walk from first discovery to a signed artifact — with the agents doing the assembly and our specialists owning the sign-off.