A practical glossary of PPCDA terms for Canadian SaaS teams — written for operators, not lawyers.
PPCDA introduces new terminology and reframes existing privacy concepts around evidence, ownership, and operational enforcement.
Data Subject Access Request — a user request to access, delete, or correct their data. PPCDA requires evidence for every step.
Artifacts proving an action occurred: logs, exports, screenshots, deletion confirmations, access records.
The schedule defining how long data is kept. PPCDA requires proof of automated and manual deletion.
Role-based permissions, MFA enforcement, privileged access restrictions, and revocation evidence.
Proof that vendors enforce your retention, access, and deletion requirements — not their defaults.
A list of all systems holding customer data — internal, vendor, legacy, and archived.
A formal request from a user asking for access to, deletion of, or correction of their personal data. PPCDA requires timestamped logs, verification steps, exports, deletion proof, and a full audit trail.
Any artifact proving a compliance action occurred. Examples: deletion logs, access logs, exports, screenshots, vendor confirmations, retention enforcement logs.
A documented timeline defining how long each category of data is stored. PPCDA requires proof of enforcement — automated deletion, manual deletion, and exception tracking.
Permissions defining who can access which data. PPCDA requires evidence of MFA, role-based access, privileged access restrictions, and revocation logs.
Vendors must enforce your retention, deletion, and access requirements. PPCDA requires evidence of alignment: deletion guarantees, access control proof, retention logs, and DSAR support.
A complete list of systems holding customer data. PPCDA requires evidence of mapping accuracy, updates, and ownership across teams.
A timestamped record of every action taken during a compliance workflow. PPCDA requires full audit trails for DSARs, retention enforcement, vendor reviews, and access control changes.
Proof that data was deleted — logs, screenshots, vendor confirmations, or system-level evidence.
Documentation for data that cannot be deleted due to legal or operational constraints. PPCDA requires justification and periodic review.
Technical safeguards protecting customer data. PPCDA requires evidence of encryption, logging, monitoring, vulnerability management, incident response, and backup verification.
Kelunoa helps teams centralize evidence, map ownership, and operationalize PPCDA compliance across privacy, ops, and security.
Join the Waitlist