This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
A privacy impact assessment isn't a large-enterprise-only exercise in Quebec, it's a legal requirement tied to the project, not the company's size. Any business, regardless of headcount, acquiring, developing, or overhauling an information system that processes personal data about Quebec residents needs one, and a new AI tool rollout is exactly this kind of project.
In short: Quebec's Law 25 requires a Privacy Impact Assessment for any project involving the acquisition, development, or overhaul of an information system or electronic service delivery system that processes personal data. This applies to a new AI tool rollout regardless of business size. The assessment needs to be genuine and proportionate to the real risk, not a lengthy formality, but skipping it entirely, as one real 2026 enforcement finding showed, is treated as a substantive compliance failure, not a minor gap.
The plain-English answer
If your business is in Quebec, or has Quebec-resident customers or employees, and you're adopting a new AI tool that processes personal data, a Privacy Impact Assessment is a legal requirement, not an optional best practice reserved for larger organisations. The size of your business changes what a proportionate assessment looks like, a smaller, more focused review rather than a lengthy formal document, but it doesn't remove the requirement itself.
Why this matters for your business
A 12-person Quebec accounting firm rolling out an AI document-processing tool is a genuinely easy case to underestimate, the firm has no dedicated privacy team, the tool feels like a routine productivity upgrade, and the instinct to treat a PIA as something only larger organisations need to worry about is understandable. But accounting firms handle exactly the kind of sensitive personal and financial data Law 25 is most concerned with, and an AI tool processing client financial records is a real information-system change the law's PIA requirement was written to cover.
The cost of skipping this isn't abstract. A real 2026 enforcement finding against a major AI company centred specifically on a privacy impact assessment completed too late, months after a feature had already launched and caused real harm, showing regulators treat a missing or delayed PIA as a substantive failure, not a minor paperwork gap, regardless of the organisation's size.
What a PIA actually requires
Law 25 requires a Privacy Impact Assessment for any project involving the acquisition, development, or overhaul of an information system or electronic service delivery system that processes personal data. A genuine AI tool rollout, not a trivial internal setting change, clearly qualifies. The assessment itself should cover what personal data the new system will process, why, what risks that processing creates for the people whose data it is, and what safeguards address those risks, done before the system goes live, not after.
Proportionality matters here: a large enterprise's PIA for a major new AI platform and a 12-person firm's PIA for an AI document-processing tool shouldn't look identical in length or formality, but both need to genuinely work through the same core questions, not skip them because the business is small. A short, honest assessment that actually considers the real risks is more valuable, and more compliant, than a lengthy template filled in without real thought.
What this looks like in practice
Picture the accounting firm owner, about to roll out an AI tool that processes client tax documents and financial records, with no PIA planned because the firm has always associated that term with large corporate compliance departments. Working through Law 25's actual requirement changes the plan: before rollout, the firm documents what client data the tool will process, checks the vendor's data handling and retention terms, considers what happens if the tool mishandles a client's sensitive financial information, and confirms a safeguard, like restricting the tool's access to only the specific document types it needs, addresses the main risk identified.
This takes an afternoon for a firm this size, not weeks, and produces a real, documented assessment rather than either skipping the requirement or over-building a process the firm doesn't need. That's the proportionality Law 25 actually expects.
What you can do about it
A practical, proportionate PIA process for a small or mid-size business:
- Before adopting any new AI tool that processes personal data, document what data it will handle and why.
- Identify the realistic risks, not every theoretical scenario, but the ones genuinely plausible for your business and data.
- Check the vendor's own safeguards and data handling terms against the risks you've identified.
- Document the assessment, even briefly, before the tool goes live, not after.
- Revisit the assessment if the tool's use changes materially, a new PIA isn't a one-time exercise per tool forever.
For the fuller picture on Law 25's other automated-decision requirements beyond the PIA specifically, see our guide on Quebec's Law 25 and AI.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Does every single AI feature need its own separate PIA?
Each genuine new information system or significant overhaul needs an assessment, but minor updates to an already-assessed system don't necessarily require starting over. Use judgment: a materially new use case or data type warrants a fresh look, a small configuration change to an already-assessed tool usually doesn't.
Is there an official template for a Quebec PIA?
Quebec's data protection authority (the CAI) publishes guidance on conducting assessments, worth checking directly rather than relying solely on a generic third-party template, since it reflects the specific expectations Quebec regulators actually apply.
Does the PIA requirement apply outside Quebec too?
Not as a formal statutory requirement, Law 25's PIA obligation is Quebec-specific. PIPEDA doesn't currently impose an identical formal PIA requirement federally, though conducting some form of risk assessment before a new AI rollout is good practice everywhere, and may be expected under PIPEDA's broader accountability principle even without an explicit PIA mandate.
What happens if we skip the PIA and nothing goes wrong with the data?
The requirement exists independent of outcome, skipping it is a compliance gap regardless of whether any actual harm results. If a regulator investigates for any reason, being unable to show a PIA was done before a qualifying project is a real finding against the business.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Not sure whether your customers or employees trigger Quebec's rules specifically?
Check which Canadian law applies