Complying with Quebec Privacy Law Bill 25 – What You Need to Know

This September organizations in Quebec will face stiff penalties if found non-compliant with Law 25 (previously Bill 64). Passed in 2021, the Law has phased in annual amendments and requirements every September 22. Previous phases defined organizational and preparatory requirements; this September kicks off enforcement, where organizations found to be non-compliant could face fines up to $25 million, or four percent of annual turnover for privacy violations.

What is Law 25?

Law (or Bill) 25 is a provincial data privacy law which in practice looks and sounds like Canada’s federal data privacy law, Personal Information Protection and Electronics Act (PIPEDA). However, Law 25 modernizes the protection of personal information and better defines what qualifies as sensitive information (any information which relates to a person and allows that person to be identified).

A key difference is each law’s scope—PIPEDA focuses on private-sector organizations, while Law 25 applies to both private and public organizations operating in Quebec and collecting and handling sensitive information of Quebec residents.

The Law is designed to provide individuals with more control over their information and the ability to request and access their information from organizations who have it. If an individual requests specific information, your organization must provide it to them within 30 days or risk penalties.

It’s a practical approach to data privacy and an individual’s right to access information that sounds straightforward. Yet in practice, ensuring your organization can source, protect, deliver, and/or erase sensitive information within the Law’s parameters could get messy.

Many organizations struggle to understand what types of sensitive information they collect, store, and share, let alone the security risks based on those information types. The Law’s wide reach means that public and small businesses with limited budgets, teams, and data and asset management resources may struggle to institute the practices and processes necessary to demonstrate compliance.

Adhering to Law 25

Law 25 clearly outlines requirements that pertain to the protection of personal information, the collection of personal information, confidentiality of personal information, data access provisions, and recourse. You can see the Law in full, as well as active (enforceable) requirements here.

Essentially, aligning to Law 25 supports three key pillars:

1. Governance

‍Companies must design and enact privacy policies and processes to govern personal information as defined by the Law.‍

2. Transparency

‍Organizations must demonstrate transparency and ability to disclose personal information to consumers and citizens who request it.

3. Compliance

‍Unlike other data privacy laws in Canada, Law 25 and its regulator, the Commission de l’accès à l’information (CAI), is empowered and ready to issue and enforce penalties for non-compliance.

‍

How to comply with Law 25

Whether you’ve been following Law 25 since its introduction or playing catch-up, there are several tactics and tools you can apply to prepare for this September’s enforcement rollout.

1. Create (or revisit) a data governance framework.

A data governance framework is a high-level plan that maps how your organization will manage and protect its data. It details practices and processes to ensure that all data is collected, processed, and stored in a consistent manner, and that only authorized users have access to it.‍

2. Review your organization’s data access controls.

Ensuring your data access policies and controls are up to date will ensure appropriate controls are in place to guard access to sensitive information. Regular system audits can help detect and correct misconfigurations, accidental permissions and inappropriate data access, while review schedules based on data classification types like PII can keep you on top of sensitive information handling.

3. Automate data discovery and classification.

Manual data and asset management tools like spreadsheets can’t scale to meet the growing volume of data your organization has. Automated data discovery and classification can find and classify all data, helping you build and maintain an accurate data inventory, instill a privacy-first culture across your organization, and provide customer and consumer reassurance.

‍

‍

Achieving compliance with any data privacy or protection law (including Law 25) starts with understanding what data your organization has and the risks associated with it based on data types. Access best practices and get more compliance tips by scheduling a Cavelo platform demo today.