Every Alberta public body needs a compliant PMP in place by June 11, 2026. We build yours end-to-end — the full document, the PIAs for your actual SaaS tools, the privacy officer framework, and the breach procedures. Fixed fee. No hourly billing surprises. Ready well before the deadline.
Sign by mid-May to comfortably hit June 11. Our standard delivery is 3–4 weeks from discovery call to handover. Waiting until May makes it tight. Waiting until June means missing the deadline.
What's at stake
Under Section 25(1) of Alberta's Protection of Privacy Act, every public body must establish and implement a Privacy Management Program by June 11, 2026. This isn't optional, it isn't deferrable, and it applies to every public body in the province — from provincial ministries down to small municipalities, school divisions, and libraries.
POPA introduced penalties of up to $1 million for certain offences. The PMP itself doesn't carry a specific fine, but failure to have one means your organization cannot demonstrate compliance with POPA when a privacy incident occurs. Without a PMP, any breach becomes a much harder conversation with the Commissioner.
The PMP is not a single document. It's an operating framework covering a privacy officer, documented safeguards, employee training, breach response, and a process for completing Privacy Impact Assessments for every SaaS tool you deploy. Building one from scratch with no in-house privacy counsel is a multi-week project for a small organization. Most of our clients don't have that bandwidth.
That's why we built this service: a fixed-fee, done-for-you PMP designed specifically for the small-to-midsize Alberta public bodies — municipalities, school divisions, libraries, smaller health authorities, and post-secondary institutions — that need to be compliant by June 11 and don't have the runway to figure it out internally.
What's included
Every engagement covers the same six steps. The difference between our tiers is how many SaaS tools we cover in the PIA phase and how much custom work goes into your specific operational procedures.
The delivery process
Discovery call60 to 90 minutes. We scope your environment, your existing policies (if any), your SaaS inventory, your risk profile, and your timeline. You leave the call with a clear picture of what's required and what we'll deliver.
SaaS inventory and sovereignty assessmentUsing our HarbourScan tool and our 766-tool Sovereignty Index, we map your actual stack and flag CLOUD Act exposure, data residency issues, and jurisdictional risks you didn't know you had.
PIAs for your top SaaS toolsUsing Alberta's mandatory OIPC template, we generate defensible answers for Sections F (Protection), G (Service Providers), and H2 (Cloud Computing Risks) for each tool. Ready to submit to the OIPC if required.
The Privacy Management Program documentA drafted PMP covering everything the Ministerial Regulation requires: privacy officer designation, internal handling procedures, employee training outline, breach response procedures, PIA process, and documented safeguards. Written to your organization's actual operating context, not a generic template.
One revision roundYou review the draft, we incorporate your feedback, and we deliver the finalized documents.
Handover callA 30-minute call to walk your team through the PMP, how to use it, and what you need to do to keep it current. You leave the call ready to operate the program.
What's not included
So nobody is surprised: we don't provide ongoing privacy officer services, we don't represent you before the OIPC, we don't deliver the employee training sessions themselves (we provide the outline — you deliver it), and we don't provide legal advice on specific incidents. This is a compliance readiness engagement, not an ongoing retainer. If you need more than what's in scope, we'll talk about it and quote it separately — no hidden fees.
Pricing
Fixed-fee. 50% on signing, 50% on delivery. All prices in CAD. All tiers stay below standard Alberta public body procurement thresholds — which means your procurement officer can usually sign without triggering a formal RFP process.
Essential
$4,500CAD
Small municipalities, single libraries
For very small public bodies with a simple SaaS footprint.
Not sure which tier fits? Book a discovery call and we'll help you scope it. The call is free.
Who you're working with
Joshua van Es
Founder, Upper Harbour · Corporate law background
Josh is the founder of Upper Harbour, Canada's technology sovereignty intelligence platform. He built the 766-tool Sovereignty Index that underpins the jurisdictional analysis in every PIA we deliver, and the classification methodology the service uses to evaluate CLOUD Act exposure and sub-processor risk at every layer of your SaaS stack.
Research cited in The Globe and Mail, Maclean's, The Logic, BetaKit, Policy Options, and OpenCanada. Book chapter on Canadian technology policy published by McGill-Queen's University Press.
Why work with us
We specialize in the hardest part of Alberta POPA compliance. The sovereignty analysis — CLOUD Act exposure, jurisdictional control, sub-processor chains — is what most PIAs and PMPs get wrong, because most templates treat it as a checkbox question. We built a 766-tool classification database specifically to answer these questions defensibly, and our methodology has been cited in The Globe and Mail, Maclean's, The Logic, and BetaKit.
We're priced for organizations that actually need help. Big Law firms quote $25,000 to $75,000 or more for equivalent work, with junior associates doing most of it. A small Alberta municipality cannot afford that and shouldn't have to. Our fixed-fee model gives you the same rigour without the billable-hour surprises.
We know the template. Our Alberta PIA Research Tool was built against the OIPC's mandatory template released March 2026. We've walked through every section. We know which questions the regulator cares about and which ones are formalities, and we write answers designed to withstand OIPC scrutiny.
We use the same methodology on every engagement. Every PIA cites the ultimate parent jurisdiction, documents CLOUD Act exposure where it exists, and provides defensible language you can copy directly into your submission.
Frequently asked questions
What is the deadline for Alberta public bodies to implement a PMP?
Every Alberta public body must have a Privacy Management Program in place by June 11, 2026, under Section 25(1) of POPA. This requirement takes effect one year after POPA's proclamation. The PMP must also be made publicly available on request.
How is this different from hiring a law firm?
A large firm will typically quote $25,000 to $75,000+ for equivalent work, bill hourly, and use junior associates for most of the drafting. We quote fixed fees starting at $4,500, deliver in 3–4 weeks, and use the same rigorous sovereignty methodology on every file. For small-to-midsize public bodies, our pricing is the difference between actually getting this done and letting the deadline slip.
Do we need to be in Alberta to work with you?
Yes, this service is scoped specifically to Alberta POPA compliance. If you're a public body in BC, Quebec, or elsewhere with a different privacy regime, get in touch and we can discuss whether we can help.
What if we already have some policies in place?
Most public bodies do. During the discovery call we review what you have, identify the gaps against POPA's actual requirements, and scope accordingly. In many cases we're extending and formalizing existing material rather than starting from scratch.
Can you help us after the PMP is delivered?
The core service is delivery of the PMP package. We don't offer an ongoing retainer as part of these tiers, but if you need follow-up work — additional PIAs, updates when you adopt new SaaS tools, breach response support — we can scope it separately. Many organizations find the deadline itself is the acute pain and the ongoing maintenance is something their existing staff can handle with the framework we build.
What does the discovery call cost?
Nothing. The first call is free and typically runs 30 to 60 minutes. We use it to understand your environment, answer your questions, and help you decide whether we're the right fit. If we are, we send you a scoping proposal within 48 hours. If we're not, you at least leave the call with a clearer picture of what POPA compliance actually requires.
The deadline is June 11, 2026
Every week you wait is a week of compressed delivery timeline. A 30-minute call costs you nothing and gives you a clear answer on what you need and what it costs.
