Internal template

Privacy Impact Assessment

Grafa completes a written PIA before launching any new product or technology feature that involves personal information, per Quebec's Law 25 and aligned with PIPEDA and GDPR Article 35 (DPIA) practice. Each completed PIA is filed by the Privacy Officer (Serena Tsay, serena@grafa.co). Quebec residents may request a summary of a relevant PIA. The template below is the format we use.

1. Feature overview

  • Name of the feature or change.
  • Owner (PM / engineering lead).
  • Launch date and rollout plan.
  • Plain-language description of what it does.

2. Personal information involved

  • Categories of personal information collected, used, or generated.
  • Whether sensitive personal information is involved (financial, biometric, minors).
  • Sources of the data (user input, derived, third party).
  • Whether new data is collected vs. reuse of existing data.

3. Purpose & necessity

  • Why is this data needed for the feature?
  • Is each data point strictly necessary, or could the feature work with less?
  • What lawful basis (GDPR) applies, and is meaningful consent (PIPEDA / Law 25) collected where required?

4. Recipients & transfers

  • Internal teams that will access the data.
  • Sub-processors involved and where they store the data.
  • Cross-border transfers and the safeguards in place (SCCs, etc.).

5. Risk assessment

  • Privacy risks identified (re-identification, secondary use, breach impact, profiling).
  • Likelihood and severity for each risk.
  • Risks specific to vulnerable users or minors, if any.

6. Mitigations

  • Technical mitigations (encryption, access controls, retention limits, anonymisation).
  • Organisational mitigations (training, documented process, audits).
  • User-facing mitigations (transparent notice, granular consent, easy opt-out).

7. Data subject rights impact

  • Can users still exercise access, deletion, correction, portability, and objection?
  • Any new tooling needed to fulfil rights requests?

8. Decision

  • Approved / approved with conditions / blocked.
  • Conditions and follow-up actions.
  • Sign-off by the Privacy Officer (Serena Tsay) with date.

See also our Privacy Policy and Data Processing Addendum.