About this AI privacy risk assessment
This tool evaluates ten risk factors across seven domains: written AI policy, shadow AI visibility, client-data exposure, cyber-insurance readiness, Microsoft 365 Copilot configuration, employee training, professional regulatory obligations, incident response, vendor data practices, and overall posture. Each question is weighted by severity, and results are calculated entirely in your browser — nothing is stored or transmitted.
Why Canadian businesses face AI privacy risk in 2026
The regulatory environment shifted in May 2026 when the Office of the Privacy Commissioner formally ruled that OpenAI's ChatGPT violated PIPEDA, citing problems with data collection, consent, and safeguards. The ruling matters because it establishes how Canadian privacy law applies to data flowing through public AI systems — which affects every business whose employees use those tools.
"76% of employees admit to using unauthorized AI tools at work. Most of their managers don't know."— IBM Institute for Business Value, 2025
For professional services businesses — legal firms, accounting practices, financial advisories, healthcare clinics — exposure compounds because employees handle confidential client data under strict professional obligations. The Law Society of Ontario has warned lawyers that AI tool usage with client data risks disciplinary action. CPA Canada confirms accountants retain personal liability for AI-related errors. Neither body has banned AI; both require documented governance.
What is shadow AI?
Shadow AI is AI usage inside a business without authorization or oversight. In 2026 this extends well beyond ChatGPT to AI writing assistants in browsers, Copilot features in Microsoft 365, note-taking tools that summarize meetings, browser extensions that read page content, and AI baked into CRMs and email clients. Many are active by default, many retain content for training, and most users have not read the data-handling terms.
What is an AI Acceptable Use Policy and do you need one?
An AI Acceptable Use Policy is a written document defining which AI tools employees may use, what categories of data can and cannot be entered, disclosure rules for AI-generated content, prohibited uses, and consequences for violations. The Law Society of Ontario, CPA Canada, and most Canadian cyber insurers now treat a documented policy as a baseline requirement. Without one, a business has no documented standard of care if something goes wrong.
How cyber insurance is changing
Cyber insurers began adding AI governance questions to renewals in 2025 and accelerated through 2026 after the OPC ruling. Common questions include whether you have a written AI policy, which tools employees are authorized to use, whether Copilot is configured with data boundaries, and whether staff have completed AI privacy training. Businesses that cannot answer may face premium increases or exclusions for AI-related incidents.
How this score is calculated
This is a self-reported assessment, not a formal audit. Scores reflect your answers, not an independent review of your systems. The two highest-weighted questions — written AI policy and shadow AI visibility — create the most direct PIPEDA exposure and are most commonly missing. A low score does not guarantee compliance and a high score does not guarantee a problem; for a formal review, consult a qualified privacy professional.
Frequently asked questions
Is my business at risk if employees use ChatGPT with client data?
Yes. In May 2026, Canada's Privacy Commissioner ruled that ChatGPT violated PIPEDA. If employees use public AI tools with confidential client data and you have no documented AI policy, your business bears the regulatory and legal liability. Legal, accounting, and financial services firms face the highest exposure because they handle sensitive information under strict professional obligations.
What does a PIPEDA violation actually cost?
Under current PIPEDA, fines reach up to C$100,000 per violation. Reform legislation moving through Parliament in 2026 would raise penalties to the greater of C$25 million or 5% of gross global revenue. Beyond fines, an investigation triggers mandatory breach notification, reputational damage, and potential civil liability — and for regulated professionals, disciplinary proceedings.
Is Microsoft Copilot safe to use with client data?
Copilot can be safe, but only if configured correctly. By default, Microsoft 365 Copilot can access everything in your tenant that each user can see — including data from other departments. Without permission scoping it can surface sensitive data across your organization. Business and enterprise tiers do not train Microsoft's models on your data, but still require proper configuration.
What is the difference between this assessment and a formal audit?
This is a self-reported tool that identifies likely gaps and gives a risk score to help prioritize. A formal shadow AI audit is a structured review of your actual environment — every AI tool in use, how each handles data, which create compliance risk, and a remediation plan — producing documentation suitable for an insurer, regulator, or client inquiry.
Does cyber insurance cover AI-related data incidents?
Not automatically. Insurers now add AI governance questionnaires to renewals. Businesses without a documented AI policy, shadow AI audit, or employee training may face higher premiums or denied claims. The key documents insurers look for: a written AI Acceptable Use Policy, evidence of training, and confirmation that tools like Copilot are configured with appropriate boundaries.
Where can I get a proper AI policy for my business?
Several organizations publish templates and guidance — the Law Society of Ontario and CPA Canada for their professions, and Microsoft for Copilot governance. For a custom AI Acceptable Use Policy with technical implementation, M365 configuration, shadow AI audit, and ongoing management, you can work with a specialist. See the resources section above, including the OPC's own self-assessment tool.