Privacy & Risk Advisory

Privacy is a business asset.
Treat it like one.

Privacy is not a compliance checkbox — it is a signal of trustworthiness to your customers, regulators, and partners. Our advisory practice integrates privacy-by-design into security architecture, compliance programs, and operational processes. Risk advisory provides the structured frameworks and independent perspective your team needs to make informed, defensible decisions.

Schedule a strategy session See what's included

Privacy built in, not bolted on

Privacy controls designed after a system is built are always more expensive, less effective, and harder to sustain. We integrate privacy-by-design from the architecture phase — before code is written and before data flows are set.

Risk that drives decisions

Risk assessments that produce traffic-light reports nobody acts on are not useful. Our risk advisory produces findings that are prioritized, contextualized, and tied to specific decisions your leadership team needs to make.

One workstream, not two

Privacy and security are not separate disciplines — they share data flows, controls, architectures, and governance. We advise on both simultaneously, so your organization builds one coherent program rather than two parallel ones.

What we advise on

Two integrated advisory pillars

Privacy advisory and risk advisory are delivered as an integrated practice — the same data flows, controls, and governance structures underpin both.

Pillar 1

Privacy Advisory

Advisory covering both management and technical privacy dimensions — from program governance through to architecture-level controls.

  • Privacy Impact Assessment (PIA)

    Standalone and integrated PIAs — from project-level assessments through to enterprise-wide data governance reviews.

  • Privacy-by-Design Architecture

    Integration of privacy controls into system and application architecture from the design phase — data minimization, purpose limitation, retention controls, and consent architecture.

  • Privacy Compliance Programs

    Advisory on building and maintaining privacy compliance programs aligned to PIPEDA, CPPA, FIPPA, GDPR, and sector-specific requirements — including policy development and governance structures.

  • Data Mapping & Classification

    Advisory on identifying and documenting personal information flows, data inventory, classification frameworks, and retention schedules — the foundation for both compliance and breach response.

  • Data Breach Response Planning

    Advisory on developing breach response plans — detection, containment, notification obligations, and recovery procedures — aligned to PIPEDA, CPPA, and GDPR breach notification requirements.

  • Vendor Privacy Assessment

    Privacy assessment of third-party vendors and suppliers handling personal information — contractual requirements, data processing agreements, and due diligence frameworks.

Pillar 2

Risk Advisory

Structured, independent risk assessment advisory — from enterprise-level security risk through to project-level threat analysis and third-party risk programs.

  • Security Risk Assessments

    Enterprise and project-level security risk assessments — identifying, analyzing, and prioritizing risks to inform security investments and governance decisions.

  • Threat Risk Assessments (TRA)

    Structured threat risk assessment methodology — threat identification, likelihood and impact analysis, and risk treatment recommendations. Documented findings for management decision-making and regulatory evidence.

  • Third-Party & Supplier Risk

    Advisory on building and operating a third-party risk management program — questionnaire development, risk tiering, ongoing monitoring, and contractual security requirements.

  • Compliance Impact Assessments

    Assessment of regulatory and compliance impact for new projects, initiatives, and third-party engagements — before commitments are made, not after.

  • FAIR Risk Analysis

    Factor Analysis of Information Risk (FAIR) methodology for quantitative risk analysis — moving beyond traffic-light ratings to defensible, financially-grounded risk estimates that resonate with boards and executives.

  • Security Maturity Assessment

    Assessment of your security program's current maturity against a recognized framework — NIST CSF, ISO 27002, or a hybrid — with benchmarking and prioritized improvement recommendations.

Regulatory coverage

Privacy legislation we advise on

Canada's privacy landscape is evolving — CPPA will eventually replace PIPEDA, and provincial legislation adds further complexity. We advise on the full landscape, not just the most familiar regulation.

PIPEDA

Personal Information Protection and Electronic Documents Act

Canada's federal private-sector privacy law. Applies to organizations collecting, using, or disclosing personal information in the course of commercial activity across provincial borders.

CPPA

Consumer Privacy Protection Act

Canada's proposed modernization of PIPEDA — introducing stronger consent requirements, expanded individual rights, and significant penalties. Advisory on preparing for the transition.

FIPPA

Freedom of Information and Protection of Privacy Act

Ontario's provincial privacy legislation governing public sector institutions — ministries, agencies, municipalities, and broader public sector organizations.

GDPR

General Data Protection Regulation

The EU's comprehensive data protection regulation. Applies to Canadian organizations that offer goods or services to EU residents or monitor their behaviour — more Canadian organizations are in scope than they realize.

Sector

Sector-Specific Requirements

FSRA and OSFI cybersecurity and privacy expectations for Ontario and federally regulated financial institutions. Advisory on navigating regulatory examinations and self-assessments.

How we work

Privacy Impact Assessment approach

A Privacy Impact Assessment is only as useful as the process behind it. Ours is structured, defensible, and tied to actionable recommendations — not a compliance exercise that gets filed away.

Scope & Context

Define the project, system, or initiative in scope. Identify personal information involved, applicable legislation, and key stakeholders.

Data Flow Analysis

Map how personal information is collected, used, disclosed, stored, and destroyed. Identify third parties and cross-border flows.

Risk Identification

Identify privacy risks against applicable legislation and principles. Assess likelihood and impact of each risk with supporting rationale.

Recommendations & Reporting

Prioritized recommendations to mitigate identified risks. Documented findings suitable for management decision-making and regulatory review.

Industry contribution

OWASP Top 10 Privacy Risks

Sarakinov Consulting contributed to the OWASP Top 10 Privacy Risks – Countermeasures project — the industry reference for understanding and mitigating privacy risks in web applications and digital services. This hands-on contribution to open-source privacy standards reflects a commitment to advancing privacy practice beyond client engagements, and informs the practical, technically-grounded privacy advisory we bring to every engagement.

In practice

Privacy & risk advisory in regulated environments

A representative selection of privacy and risk advisory engagements. Client identities are kept confidential. View full engagement history →

Regional Smart Card Payment System · 2012–2015

Privacy Impact Assessments coordinated with Privacy Commissioner

Provided privacy advisory for a regional fare payment system — conducting Privacy Impact Assessments in coordination with the Privacy Commissioner's guidance. Advised on privacy-by-design controls, data minimization, and retention frameworks for a system handling personal travel data for over one million fare card holders.

Privacy Impact Assessment Privacy by design Privacy Commissioner Data minimization

Ontario Credit Union · 2022–2025

Third-party risk advisory and compliance support

Provided ongoing third-party and supplier risk advisory as part of a Fractional CISO engagement — developing the supplier security questionnaire, advising on risk tiering, and supporting FSRA regulatory compliance. Privacy requirements integrated into supplier assessment criteria and contractual frameworks.

Third-party risk FSRA compliance Supplier assessment Privacy integration

Provincial Government — Multiple Ministries · 2000–2011

Privacy-by-design for citizen-facing digital services

Over a decade of privacy advisory to provincial government ministries — including privacy-by-design architecture for citizen-facing digital platforms, compliance guidance, and privacy integration.

Privacy by design FIPPA Citizen data Shared services

Major Canadian P&C Insurer · 2016–2017

Privacy and security architecture integration

Advised on integrating privacy requirements into the Enterprise Architecture Framework — fostering collaboration between the Enterprise Architecture team and the Privacy Office to ensure privacy controls were embedded in architecture decisions rather than treated as a separate compliance function. Data protection standards incorporated into claims platform architecture.

Privacy integration Data protection Architecture governance EA framework

Related services

Often combined with privacy & risk advisory

Privacy and risk advisory integrates naturally with security architecture and Fractional CISO advisory — most clients benefit from a combined approach.

Fractional CISO

Fractional CISO Advisory

Privacy and risk advisory is often delivered as part of a broader Fractional CISO engagement — providing a single coherent program rather than disconnected workstreams.

Learn more → Security Architecture

Enterprise Security Architecture

Privacy-by-design is most effective when integrated from the architecture phase — combining privacy advisory with security architecture ensures controls are built in from the start.

Learn more →

Get started

Ready to build a real privacy program?

Whether you need a Privacy Impact Assessment, help preparing for CPPA, or a comprehensive risk advisory program — start with a 30-minute conversation.

Schedule a complimentary strategy session Send a message