Language selection


Privacy as a Risk Management Challenge for Corporate Practice

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.


Ryerson University




This research examines the state of privacy as a risk management discipline within the Canadian (PIPEDA) context, and assesses the current state of corporate practice in implementing a risk-based approach to privacy management. The researchers were concerned with understanding how organizations that collect, store and manipulate large amounts of personally identifiable information manage information privacy as a risk and how privacy considerations are reflected in their enterprise risk management regimes. The research documents typical practices for privacy risk management and it develops a set of “best practices” that can be shared by Canadian privacy professionals.

Specifically, the project pursued the following objectives:

  • Assess the extent to which the risk-based approach to information privacy has become the norm in various industries.
  • Identify the rationale(s) employed within the various industries for the risk-based approach.
  • Identify the specific practices engaged by firms to incorporate privacy risk within enterprise risk management regimes.
  • Identify how privacy risk is characterised, classified and measured.
  • Develop a privacy risk management framework that captures the key issues associated with privacy as a risk to be managed.
  • Document the relationship among the key personnel responsible for both the risk management and privacy programs within firms to understand how different approaches are reconciled within an enterprise risk management program.
  • Identify the extent to which firms have adopted risk management versus information management approaches to privacy management.
  • Assemble a set of risk-based privacy “best practices”.

This document is available in the following language(s):

English only

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.

Contact Information

Tel: 416-979-5316

Date modified: