One of the most important differences, I think—a distinction—that the GDPR in Europe brought to bear is that when a privacy impact assessment is conducted, when an organization has a data protection officer, which they must, their focus under the GDPR is the risk to the individual whose information is being collected, used, etc. It's not the risk to the organization. In my experience, that is all too often how Canadian organizations look at it.
First of all, if they have a preliminary PIA—because we're busy; we're a large organization—the few people who actually understand it are too busy to do a PIA for everybody, so they ship it back to the department and say, “Here, you do a preliminary PIA, and you tell me if you think we need to do a PIA.” They don't know what they're looking at, so of course it's easy to say, “Nah, it doesn't affect personal information, so we don't need a PIA.” That's where it ends. That's a flawed system.
When they do do a PIA, some of them are just so cursory. It talks about the benefits of a product or a new system or something, but it doesn't talk about the risk to the individual. It's as if their role is to protect the risk of the organization. That has to change.