From Principle to Practice
Closing the Implementation Gap Together
May 7, 2026
#PrivacyInPracticeCA
Introduction: From Good Intentions to Demonstrable Action
Privacy principles are only meaningful when implemented. Policies operationalized in systems protect people. The gap between stated commitments and actual practice, the implementation gap, exists across sectors and requires sustained attention.
This series has examined privacy principles, celebrated genuine achievements, and identified areas for improvement. But principles and achievements mean little if they do not translate into consistent practice across the Canadian digital trust and identity ecosystem.
This article examines the implementation gap: why it exists, where implementation succeeds, and what serious implementation requires of all stakeholders.
Understanding the Implementation Gap
The implementation gap is the distance between what organizations say about privacy and what their systems actually do. This gap exists for understandable reasons, not because organizations are dishonest, but because implementation faces real challenges.
Legacy Systems and Technical Debt
Many organizations operate systems designed before current privacy principles were established. These legacy systems may collect data that newer approaches would avoid. They may lack selective disclosure capability. They may create tracking risks that modern architecture would prevent.
Replacing legacy systems is expensive, risky, and disruptive. Organizations must maintain operations while transitioning. New systems must integrate with existing infrastructure. Staff must learn new processes. The investment required is substantial.
This challenge affects both government and industry. Public sector systems often have longer replacement cycles and more complex procurement requirements. Budget cycles may not align with modernization needs. Private-sector systems face distinct pressures: competitive timelines, investor expectations, and acquisition-related technology integration.
The result is systems that do not reflect current privacy commitments because implementing them requires transforming existing infrastructure.
Resource Constraints
Privacy implementation requires investment in engineering resources, security expertise, privacy professionals, and testing and validation. Organizations with limited resources must prioritize. Privacy improvements compete with other demands.
This constraint is especially acute for smaller organizations. Large enterprises may have dedicated privacy teams and substantial technology budgets. Smaller organizations, including many DIACC members, must achieve privacy goals with fewer resources.
Resource constraints do not excuse poor privacy practice, but they help explain why implementation lags. Addressing the gap requires recognizing resource realities and developing approaches that work within them.
Competing Priorities
Time-to-market pressures can deprioritize privacy features. When launch deadlines loom, features that are not customer-visible may be deferred. Privacy enhancements that do not affect user experience may be prioritized lower than features that do.
This pressure exists across sectors. Government systems face political timelines. Private sector systems face competitive windows. In both contexts, the implementation of privacy may be postponed to meet other deadlines.
The consequences of this deprioritization accumulate. Deferred privacy features become technical debt. Workarounds become permanent. Systems that were supposed to be “temporary” become entrenched.
Measurement Challenges
Privacy success is often invisible. Success is the breaches that did not happen, the tracking that did not occur, and the data that was not collected. Measuring privacy implementation is more complicated than measuring features users can see.
This measurement challenge affects organizational attention. What gets measured gets managed. When privacy implementation is hard to measure, it may receive less management attention than more visible metrics.
Organizational Complexity
Large organizations have multiple systems, teams, and processes. Consistent privacy implementation across all of them requires coordination that may not exist. One team may implement excellent privacy practices while another team, using different systems, does not.
This complexity means that organizational privacy commitments do not automatically translate to consistent practice. Even organizations with strong privacy values may have implementation gaps in specific systems or processes.
Where Implementation Is Succeeding
Despite these challenges, genuine implementation success exists. Examining successes identifies what enables implementation.
Provincial Wallet Programs
BC and Alberta wallet implementations demonstrate privacy-by-design at scale.[1][2] These are production systems serving real residents with genuine privacy protection.
BC’s digital wallet stores credential information locally and shares nothing without user consent. As BC’s privacy policy states: “Information about your use of the BC Wallet is stored within the BC Wallet and is not shared by BC Wallet without your consent.”[1] Alberta’s wallet provides similar protections: “Only you know where and when information is shared. Issuers are not able to track or monitor where digital documents are used.”[2]
What enabled this success? Deliberate architectural choices were made early in the development process. Leadership commitment to privacy as a design requirement. Investment in implementation, not just policy. Technical expertise to translate principles into working systems.
These programs demonstrate that implementing privacy is achievable when organizations commit to it. The technical capability exists. The question is whether organizations invest in using it.
Quebec’s Legislative Framework
Quebec’s Bill 82 translates privacy principles into legal requirements.[3] This legislation does not just articulate principles. It mandates implementation with specific requirements for selective disclosure, anti-surveillance protections, and biometric governance. The law explicitly prohibits the use of digital identity data for profiling or surveillance and requires public consultation before any use of biometric identifiers.
Legislative requirements change organizational incentives. When privacy implementation is legally required, it receives resources and attention that voluntary commitments may not generate. Quebec’s approach demonstrates that policy can drive implementation.
Private Sector Innovation
Some private sector organizations have made privacy implementation a competitive differentiator. Organizations across the identity verification, financial services, and technology sectors have invested in selective disclosure capability, privacy-preserving authentication, and on-device biometrics, recognizing that privacy protection can drive customer adoption.
These organizations demonstrate that privacy implementation can align with business success. They have found that privacy protection builds trust that drives customer adoption. The business case for privacy, when articulated clearly, can unlock resources for implementation.
What distinguishes these leaders? They treat privacy as a product feature, not just a compliance requirement. They invest in privacy expertise and embed it in product development. They measure privacy implementation and hold teams accountable. They communicate privacy protection as a competitive advantage.
PCTF Certification Progress
PCTF certifications translate privacy principles into operational standards with assessment processes.[7][8] Certified organizations have demonstrated implementation through independent third-party review, not just policy commitment.
The certification process itself drives implementation. Organizations preparing for certification identify gaps and address them. The prospect of external assessment motivates improvement that internal processes alone might not generate.
Certified organizations provide existence proofs that implementation is achievable. Their success identifies practices that others can adopt. Their experiences inform certification criteria refinement.
The Scope and Limits of Voluntary Standards
DIACC operates a voluntary, industry-led certification model. Understanding what this model provides and where it naturally operates within a broader ecosystem helps clarify the path forward.
What Voluntary Standards Provide
Voluntary certification offers several advantages. It moves faster than legislative processes, adapts more readily to technological change, and leverages industry expertise to develop practical standards. Organizations that pursue voluntary certification demonstrate commitment beyond minimum compliance. The certification process itself drives improvements in implementation.
PCTF certification establishes baseline expectations and provides external validation.[7] It creates a common language for privacy-protective digital identity and enables organizations to demonstrate their practices to partners and customers.
Where Voluntary Standards Operate
Voluntary standards operate differently from regulatory requirements, and this shapes their coverage and impact.
Participation is elective. Organizations choose whether to pursue certification. This means certified organizations represent those who have opted in, not the full universe of digital identity activity in Canada. Expanding coverage requires making certification both accessible and valuable enough to attract more organizations to seek it.
Consequences are market-based. Certification creates market signals rather than legal penalties. Organizations that lose certification face reputational and commercial consequences, not regulatory sanctions. This model works well for organizations that compete on trust but may be less effective for those facing different market pressures.
Standards focus on what can be assessed. DIACC has invested significantly in developing rigorous standards. Translating those standards into verifiable assessment criteria and building the infrastructure to conduct assessments at scale is ongoing work. Standards that cannot be practically assessed provide limited benefit.
These are design features of voluntary, industry-led models, not deficiencies. They reflect the natural boundaries between what voluntary standards can achieve and what regulatory frameworks provide, including different incentives and enforcement mechanisms. Recognizing these boundaries honestly is essential to designing effective collaboration across both domains.
The Complementary Relationship
The most effective privacy ecosystems combine voluntary standards with regulatory frameworks. Voluntary standards establish best practices and enable leaders to differentiate. Regulatory frameworks establish floors and address actors who might not voluntarily participate. Neither alone is sufficient; together, they create layered accountability.
This is why DIACC has consistently supported thoughtful privacy legislation alongside our standards work.[10] Stronger regulatory frameworks do not undermine voluntary standards; they complement them by ensuring baseline protections while allowing voluntary certification to recognize organizations that exceed those baselines.
The FPT Privacy Commissioners recognized this complementary relationship in their 2022 Joint Resolution, calling for governments to “establish clear accountability mechanisms to meet transparency and privacy obligations, including providing authority and resources for regulators to exercise adequate oversight.”[9] Independent oversight and industry self-regulation serve different functions; both are necessary.
What Serious Implementation Requires
Closing the implementation gap requires more than good intentions. It requires specific commitments and investments.
Privacy by Design as a Technical Requirement
Privacy by Design, the framework developed by Dr. Ann Cavoukian and endorsed by international data protection authorities, establishes that privacy must be proactive rather than reactive, embedded into system architecture, and maintained as a default setting.[4] This approach has influenced privacy regulations globally, including GDPR’s requirement for data protection by design and by default.
Privacy can be a technical requirement from project inception, not an afterthought added before launch. This means privacy expertise in design reviews, privacy requirements in technical specifications, and privacy validation in testing.
Organizations that treat privacy as a compliance checkbox applied late in development will continue to have implementation gaps. Organizations that treat privacy as a design requirement from the beginning will close those gaps.
Resourced Commitments
Privacy implementation requires investment. Organizations can allocate engineering resources, budget for privacy expertise, and accept schedule implications. Commitments without resources are not commitments.
Budget allocation reveals organizational priorities. Organizations that prioritize privacy implementation fund it. Organizations that merely endorse privacy principles may not.
Leadership Accountability
Leaders can be accountable for implementing privacy, not just for the privacy policy. This means privacy metrics in executive dashboards, privacy implementation in performance reviews, and privacy outcomes in organizational reporting.
When leaders are held accountable for implementation, implementation receives attention. When accountability focuses only on policy statements, implementation may lag.
External Validation
Self-assessment is insufficient. External validation, through certification, audit, or regulatory examination, provides accountability that internal processes cannot. Organizations genuinely committed to implementation welcome external review.
External validation also benefits organizations by identifying gaps that internal processes miss. The external perspective catches issues that organizational familiarity may obscure.
The Investment Case
Privacy implementation requires upfront investment. Organizations weighing this investment should consider the returns in terms of direct benefits and avoided costs.
Trust and Adoption
Privacy implementation builds trust that drives adoption. Systems that demonstrably protect privacy earn user confidence. This confidence translates to participation that non-privacy-protective systems may not achieve.
Trust is crucial in digital identity. Users must share sensitive information to use these systems. Users who doubt privacy protection will resist adoption, regardless of other system benefits. Privacy implementation removes adoption barriers that alternative approaches cannot address.
Reduced Breach Impact
Data that is not collected cannot be breached. Systems implementing data minimization have smaller breach surfaces. When breaches occur, minimizing data limits harm.
The cost of breaches extends beyond immediate remediation. According to IBM’s Cost of a Data Breach Report, the global average cost of a data breach reached USD 4.44 million in 2025, with U.S. organizations facing costs of USD 10.22 million, the highest globally for the fifteenth consecutive year.[6] Organizations that extensively use security AI and automation saved an average of USD 1.9 million and shortened the breach lifecycle by 68 days.
Reputational damage affects customer relationships. Regulatory scrutiny increases. Future opportunities may be foreclosed. Investing in privacy measures to prevent breaches avoids these downstream costs.
Compliance Positioning
Privacy regulations are tightening globally. Total GDPR fines since 2018 have reached €5.88 billion, with enforcement expanding beyond technology companies to financial services, healthcare, energy, and other sectors.[5] Canada faces ongoing pressure to modernize its privacy legislation, with the Office of the Privacy Commissioner issuing 15 key recommendations to strengthen federal private-sector privacy law.[10]
Organizations that implement privacy protection now position themselves well for future requirements. Retrofitting implementation to meet new regulations costs more than building it from the start. Early implementation creates a competitive advantage when regulations tighten.
Competitive Differentiation
In markets where trust matters, demonstrated privacy implementation is a differentiator. Organizations that can demonstrate implementation through certification, audit, or other validation distinguish themselves from those who merely claim it.
As privacy awareness grows, this differentiation becomes more valuable. Customers increasingly seek privacy-protective services. Business customers increasingly require vendor privacy compliance. Organizations with demonstrated implementation capture these opportunities.
The Path Forward
Closing the implementation gap requires sustained effort from all stakeholders. No single actor can close the gap alone, and collaboration is essential.
Governments can allocate resources to public-sector implementation and create regulatory frameworks that incentivize private-sector implementation. Modernizing public-sector systems requires budget commitment and procurement flexibility. Creating effective regulatory incentives requires understanding implementation realities and designing achievable requirements.
Industry can invest in implementation as a business priority rather than a compliance afterthought. This means allocating engineering resources, hiring privacy expertise, and accepting schedule implications. It means treating privacy implementation as a product feature customers value, not a cost center to minimize.
Civil society can continue to press for implementation, not just for policy. Privacy advocates play essential roles in maintaining pressure and calling out gaps between stated commitments and actual practice. Their scrutiny keeps implementation on organizational agendas.
DIACC’s approach centres on strengthening our certification programs and demonstrating implementation in our own operations. We are working to expand certification coverage, improve verification mechanisms, and make certification more accessible to smaller organizations while maintaining meaningful standards. We are prepared to acknowledge our areas for improvement and work collaboratively to address them.
The gap will not close quickly. Legacy systems take time to replace. Organizational practices take time to change. Resource constraints do not disappear because we wish them away. But the gap will not close at all without deliberate effort.
We invite all stakeholders to join us in moving from principle to practice.
Next Week
Article 13 examines Canada’s Digital Trust and Identity Crossroads: A Call to Collaborative Action
Comprehensive recommendations for government, industry, and civil society and DIACC’s specific commitments.
Footnotes
[1] Government of British Columbia, “BC Wallet” (2026) and “BC Services Card Authentication Service.” The BC Wallet provides secure credential storage with privacy-preserving selective disclosure. The BC Services Card Authentication Service provides high-assurance identity verification to over 4.8 million British Columbians. Privacy policy states: “Information about your use of the BC Wallet is stored within the BC Wallet and is not shared by BC Wallet without your consent.” https://www2.gov.bc.ca/gov/content/governments/government-id/bc-wallet and https://digital.gov.bc.ca/bcgov-common-components/bc-services-card/
[2] Government of Alberta, “Alberta Wallet” (2025). The Alberta Wallet complies with Alberta’s privacy legislation and adheres to the Government of Alberta, Pan-Canadian, and international data security standards. Key privacy feature: “Only you know where and when information is shared. Issuers are not able to track or monitor where digital documents are used.” https://www.alberta.ca/alberta-wallet
[3] National Assembly of Québec, Bill 82, “An Act respecting the national digital identity and amending other provisions” (passed October 29, 2025). Bill 82 establishes requirements for selective disclosure, prohibits the use of digital identity data for profiling or surveillance, mandates public consultation on the use of biometrics, and establishes a voluntary adoption model. https://www.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-82-43-1.html
[4] Dr. Ann Cavoukian, “Privacy by Design: The 7 Foundational Principles” (Information and Privacy Commissioner of Ontario). The Privacy by Design framework, developed in the 1990s and unanimously endorsed by the International Conference of Data Protection Authorities in 2010, establishes that privacy must be proactive rather than reactive, embedded into design, and maintained as a default setting. The framework has been translated into 37 languages and influenced privacy regulations globally, including GDPR. https://gpsbydesigncentre.com/the-seven-foundational-principles/
[5] DLA Piper, “GDPR Fines and Data Breach Survey: January 2025.” Total GDPR fines since 2018 have reached €5.88 billion (USD 6.17 billion), with €1.2 billion issued in 2024 alone. Ireland remains the preeminent enforcer, having issued €3.5 billion in fines since May 2018. The survey also found an average of 363 breach notifications per day across Europe. https://www.dlapiper.com/en/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025
[6] IBM Security, “Cost of a Data Breach Report 2025.” The global average cost of a data breach was USD 4.44 million in 2025, a 9% decrease from 2024, driven by faster identification and containment. The United States incurred the highest costs, at USD 10.22 million, representing a 9% increase. Organizations that extensively use AI and automation saved an average of USD 1.9 million and shortened the breach lifecycle by 68 days. Healthcare remained the costliest sector at USD 7.42 million per breach. https://www.ibm.com/reports/data-breach
[7] Digital ID & Authentication Council of Canada (DIACC), “Pan-Canadian Trust Framework” (PCTF). The PCTF is a modular framework comprising standards, specifications, and conformance criteria for digital identity services. It is developed collaboratively by DIACC’s Trust Framework Expert Committee, with input from public- and private-sector representatives. The framework prioritizes user-centred design, privacy, security, and interoperability. https://diacc.ca/trust-framework/
[8] DIACC, “PCTF Certification Program.” PCTF certification involves an independent third-party conformity assessment against defined criteria. Certified services appear on DIACC’s Trusted List of Certified Providers. Recent certifications include FCT Client ID Verification (Verified Person Component, LOA2, October 2025) and ATB Ventures’ Oliu platform (Privacy Component, 2024). https://diacc.ca/pctf-certification/
[9] Federal, Provincial and Territorial Privacy Commissioners and Ombuds, “Ensuring the Right to Privacy and Transparency in the Digital Identity Ecosystem in Canada” (St. John’s, Newfoundland and Labrador, September 20-21, 2022). The Joint Resolution calls for governments to “establish clear accountability mechanisms to meet transparency and privacy obligations, including providing authority and resources for regulators to exercise adequate oversight.” https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_220921_02/
[10] Office of the Privacy Commissioner of Canada, “15 Key Recommendations on Bill C-27” (2023). The OPC recommended strengthening the Digital Charter Implementation Act by recognizing privacy as a fundamental right, strengthening protections for children’s privacy rights and the best interests of the child, and requiring organizations to conduct privacy impact assessments for high-risk activities, including AI. Bill C-27 died on the order paper when Parliament prorogued in January 2025. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2023/recs_c27/
The Privacy Scorecard
A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.