Comprehensive Privacy & Compliance Solutions
Practical, regulation-ready privacy services delivered by a Harvard-trained privacy lawyer and CIPM-certified expert.
Privacy Impact Assessments (PIAs) & Data Protection Impact Assessment (DPIAs)
Conducting a PIA helps identify and address privacy risks in new systems and practices. We map how personal data flows through your processes, pinpoint legal authorities, and recommend controls. This is crucial in Alberta health care – HIA Section 64 requires custodians (like doctors, nurses, dentists) to complete a PIA before launching any new health information system. We can prepare the PIA report, submit it for review, and guide you on mitigating risks. We also offer a Privacy Maturity Model assessment to benchmark your overall privacy program against best practices, helping you plan improvements.
Privacy Officer as a Service & Virtual Data Protection Officer (vDPO)
Our Privacy Officer as a Service provides on-demand access to senior privacy professionals without full-time commitment. We work as your Virtual DPO, integrating with your team to advise on all privacy matters, oversee compliance programs, and act as a liaison with regulators. If your organization is subject to GDPR or similar laws, a DPO can be mandatory; even if it’s not required, having a dedicated officer can greatly improve governance and stakeholder confidence. Our experts tailor their involvement to your needs – from periodic consultations to day-to-day support, on-site or remote.
DSAR (Data Subject Access Request) & FOIP/ATIP Handling
We manage privacy access requests from individuals (for their personal data) and freedom-of-information or access-to-information requests from the public. Our specialists take over the entire process: verifying the request, searching records, reviewing disclosures, applying redactions, and preparing the response within legal timeframes. This ensures your organization meets its obligations (For example, GDPR generally requires responses within 30 days, Alberta HIA within 30 days, and Alberta PIPA within 45 days, subject to permitted extensions) efficiently and without error.
Breach Response & Incident Management
When a data incident occurs, rapid and organized response is critical. We assist with incident response planning and execution: assessing the scope of a breach, containing it, and determining legal obligations. If a privacy breach is reportable, GDPR requires notice to the supervisory authority within 72 hours, Alberta’s HIA requires notice as soon as practicable to the Commissioner, Minister, and affected individual, and Alberta’s PIPA requires notice to the Commissioner without unreasonable delay where there is a real risk of significant harm. We guide you through that notification (providing the required details) and communication with affected parties. Our support also covers post-incident analysis to prevent future events and documentation to demonstrate due diligence to authorities.
Staff Training & Data Protection Awareness
Customized training is essential for compliance and risk reduction. We offer engaging workshops and e-learning modules on data protection fundamentals, tailored for different roles (from executive briefings to staff onboarding). Well-trained employees are your first line of defense: studies show human error is the biggest cause of breaches, and regulators emphasize that regular training is “strongly encouraged” as part of compliance. We also run privacy awareness campaigns and simulated phishing exercises to keep data protection top-of-mind year-round.
Third-Party Vendor & Cross-Border Privacy Assessments
Your data partners must also be held to high privacy standards. We audit vendor contracts and controls to ensure adequate data protection. This includes verifying encryption, breach protocols, and compliance with laws. For international transfers, we conduct Transfer Impact Assessments (TIAs) as per current guidance. For instance, transfers of EU/UK personal data outside those regions require legal mechanisms (new Standard Contractual Clauses, etc.) plus additional assessments under GDPR. We document this process, recommend supplementary safeguards, and update contractual clauses to mitigate any identified risks.
Consent & Direct Marketing Review
We evaluate your consent collection processes and marketing lists to ensure they meet regulatory standards. This includes reviewing opt-in mechanisms, opt-out/withdrawal processes, and transparency in privacy notices. For example, under GDPR consent must be freely given, specific, informed, and unambiguous; in Canada, CASL requires express consent for most electronic marketing. We help you update website banners, email subscription forms, and customer agreements so that your practices respect individual choice and legal requirements.
EU/UK Representative Services
If you market goods or services to EU/UK residents and have no physical presence there, GDPR (and UK GDPR) require you to appoint a local representative under Article 27. We provide this service: our team acts as your official point of contact for EU/UK data protection authorities and data subjects. We handle correspondence on your behalf, assist with responding to inquiries or enforcement actions, and maintain required documentation (like Records of Processing) in compliance with Article 27. This ensures you meet cross-border legal obligations without establishing an EU/UK office.
Privacy Legislation & Compliance Advisory
We keep you up to date with evolving privacy laws (e.g. PIPA, PIPEDA, HIA, POPA, ATIA, HIPPA, CCPA, GDPR, provincial laws, etc.) and interpret how they apply to your operations. Our consultants conduct compliance audits and gap analyses to see where your current practices meet or fall short of legal requirements. We then help you implement or enhance accountability measures: maintaining Records of Processing, mapping data flows, embedding privacy by design, and building documentation to demonstrate compliance. In short, we translate complex legislation into practical steps to protect your organization and data subjects.
Privacy Policy & Procedure Development
Clear, up-to-date policies and procedures are the backbone of a privacy program. We help you draft and refine all necessary documentation: privacy notices, cookie policies, consent forms, data retention schedules, breach response plans, and more. Our writing ensures these policies are both legally compliant and understandable to users. We also establish procedures for routine tasks (like onboarding/offboarding, data sharing, and vendor assessment) so that privacy controls are seamlessly integrated into everyday operations.
Stakeholder Engagement & Focus Groups
Building trust means engaging those whose data you handle. We facilitate stakeholder consultations and customer focus groups to gather input on privacy issues. These sessions can reveal how users perceive your data practices, identify concerns, and test new policy drafts. The insights help you align your privacy program with stakeholder expectations. We also train your leaders in communication skills for privacy matters, so every interaction (from press releases to customer support) reinforces your commitment to protecting data.
Mentoring, Staffing & Project Support
Whether you need short-term expertise or long-term coaching, we’ve got you covered. We mentor junior privacy staff to accelerate their learning, provide experienced interim privacy professionals during staff transitions, and offer guidance on specific projects (like GDPR readiness, new IT deployments, or mergers and acquisitions). Think of us as an extension of your team: project managers, privacy architects, or trainers ready to step in wherever and whenever needed.
Virtual Privacy Officer Services
Expert privacy leadership on demand.
I act as your designated Privacy Officer — providing accountability, strategic guidance, and peace of mind without the cost of a full-time resource.
Why Choose a Virtual Privacy Officer?
- Meet legal accountability requirements under PIPEDA and PIPA
- Stay ahead of evolving regulations (POPA, HIA, etc.)
- Access Harvard Law LL.M. + CIPM-certified expertise at a fraction of the cost
- Shift from reactive crisis management to proactive protection
What’s Included
- Formal designation as your Privacy Officer
- Development and ongoing maintenance of your Privacy
- Management Program
- Regular reporting to leadership / board
- Policy development, review, and updates
- Breach response planning and incident support
- Regulatory horizon scanning and compliance alerts
- Coordination of staff training and awareness
More Core Services
Privacy Program Development & Audits
I design, implement, and audit comprehensive privacy programs that meet PIPEDA, PIPA, POPA, Alberta HIA, and other regulatory requirements.
Regulatory Compliance Consulting
Expert guidance on Canadian and cross-border privacy laws, including data transfers, industry-specific obligations, and regulatory changes.
Incident Response & Breach Management
Develop robust breach response plans and receive expert support during privacy incidents to reduce risk and meet mandatory reporting requirements.
Training & Awareness Programs
Practical, role-specific training programs that build a strong culture of privacy across your organization.
Healthcare Privacy Specialization
Specialized support for health custodians under Alberta’s Health Information Act (HIA), including Privacy Impact Assessments (PIAs), audits, and breach protocols.