Law 25: Everything You Need To Know to Ensure Compliance

Online privacy and data protection have become a pressing issue in recent years that many governments have decided to legislate. The Legault CAQ government has been behind many digital-related innovations, so it’s not surprising to see legislation like this.

This law is a legislative update since existing laws inadequately address digital data. It should be noted that Law 25 has teeth and isn’t merely a preparatory law. Law 25 has teeth. The legal penalties for a violation can be as high as $25 million or 4% of your organization’s worldwide revenue.

In addition, this law is considered evolving; new obligations will be added over the years to keep the law’s demands current. This article provides an update on the law’s provisions, your organization’s compliance obligations, and ways to ensure current and future alignment.

Overview of the Act

Often compared to the European Union’s GDPR, Law 25 puts forth several measures to get public bodies and private organizations to modernize their data privacy practices. The law does not enforce specific technology use but outlines various criminal and monetary penalties if a solution isn’t implemented.

For example, with this law, multi-factor authentication becomes necessary for all organizations, as it will effectively avoid the hefty fines associated with a data breach. Data encryption would also be a good practice to adopt.

Another important provision of this law is citizens’ right to data erasure and dereferencing. Companies will therefore need to have a good data handling policy in place so as not to make this process more complicated.

This law also creates a right to data portability. This right is similar to the one mentioned in the previous paragraph. Still, it obliges public bodies and companies to provide, upon request, all personal information taken from a person so that they can access it.

Measures for organizations

Quebec businesses must implement several measures to comply with Bill 25, many of which will be in place by next month. Some of these measures should already be in place to comply with the GDPR, but revising these requirements under this new Quebec law is still a good idea.

The three measures below must be in place as of September 22, 2022.

Privacy Officer

Every organization will be required to appoint a Privacy Officer. If a company does not make a formal appointment for this role, the most senior officer of the company is appointed and will be held accountable for implementing these programs and breaches.

It was already a good idea to have a person dedicated to this type of role to ensure the cyber security of corporate data. However, Act 25 now makes this practice a requirement.

Management plan and incident log

This measure is relatively simple. It requires Quebec companies to have a predetermined plan in case of incidents and to keep a log of any incident that occurs during their operations.

The plan and the logbook can be straightforward, and the law does not introduce any specific framework concerning this measure. However, involving all departments in your organization in this process is a good idea. This way, everyone knows what constitutes a violation and how to report it.

Duty to Disclose

In the event of a data breach, Quebec companies now have a legal obligation to notify anyone affected by the incident. Fines are attached to breaches of this directive.

This practice is now relatively common within organizations that handle customer data. It is considered an excellent way to counter the impact of data breaches by getting users to change their passwords.

A culture of cyber security

Bill 25 is an essential update to Quebec’s legislative framework by putting clear measures for privacy and cyber security in place.

While the indications mentioned in this text are essential, the best way to prevent these breaches is through a corporate culture focused on cyber security awareness. The problems framed by Act 25 are preventable by giving your employees access to robust cyber security training.