Blog article
Law 25: Restriction or Asset for Businesses?
Blog article
Law 25: Restriction or Asset for Businesses?
Main Facts
FULL NAME
Act modernizing the laws relating to the protection of personal information
OBJECTIVE
Strengthen the protection of personal information held by businesses in Quebec
DATES
Entry into force on:
September 2022
Second phase:
September 2023
Third phase:
September 2024
RESPONSIBLE ORGANIZATION
Commission d’accès à
l’information du Québec
POSSIBLE PENALTIES TOWARDS COMPANIES
Very high! They can reach $25,000,000 or 4% of the company’s worldwide turnover.
WHO IS CONCERNED
All companies, whether they are SMEs, NPOs, an independent consultant or any other business form recognized by law.
Law Objectives
1.
Strengthen the protection of personal information by imposing stricter standards and promoting better management of this data.
2.
Increase transparency in the collection, use and disclosure of personal information. Organizations are required to inform individuals in a clear and understandable manner about the collection and use of their data.
3.
Reinforce the consent of individuals regarding the collection, use and disclosure of disclosure of their personal information. Organizations must obtain informed and free consent from individuals, except in certain specific situations provided for by law.
4.
Hold organizations accountable by requiring them to designate a privacy officer and put in place appropriate security measures to protect data.
5.
Strengthen the rights of individuals with respect to the protection of personal information. Individuals have the right to access their data, have it corrected or deleted, and object to its use in certain circumstances.
I have a SME, am I concerned?
The law applies to SMEs and all organizations that collect, use or disclose personal information in Quebec. The purpose of the law is to strengthen the protection of personal information. SMEs must comply with the requirements of the law, which includes putting in place appropriate security measures to protect personal data, obtaining informed consent from the individuals concerned, informing people about the collection and the use of their information, as well as the respect of the rights of access, correction and deletion of the personal data of individuals.
What Is Personal Data According toThe Law?
Name
Social Security number
Address
Age
Gender
Family situation
Online identifiers
Employee identification number
Added to the list are the elements specific to the physical, physiological, genetic, psychic identity, economic, cultural or social.
What you need to do to comply
From September 2022:
You must designate a person responsible for the protection of personal information and publish their contact details on your company’s website or any other appropriate means.
In addition, in the event of an incident you must take reasonable measures to reduce the risk of harm and prevent future incidents. You must also inform the Commission d’accès à l’information and the person concerned if the incident presents a serious risk of harm.
You must keep an incident log and send it to the Commission on request.
From September 2023:
You must establish a personal information governance plan, including policies and practices, and post it clearly on the company’s website or by any other appropriate means.
You must complete a Privacy Impact Assessment (PIA).
You must destroy personal information once the purpose for which it was collected is achieved, or anonymize it.
You must provide the default settings that ensure the highest level of confidentiality for technological products or services intended for the public.
You must respect the right to cease dissemination, re-indexing or de-indexing (or the right to be forgotten).
From Septembre 2024:
You must respond to requests for personal information portability, which is the right of individuals to request the transfer of their personal information from one organization to another, to the extent technically feasible.
Turn obligations into benefits for your business
From September 22, 2023, Law 25 requires the establishment of an information governance plan. Creating such a plan has several benefits for a business, such as:
1.
Clearly define everyone’s responsibilities and obligations regarding the protection of personal information, which ensures a clear understanding of these roles within the organization.
2.
Better protect information by restricting its access to authorized persons only, which strengthens data security. It becomes part of your cybersecurity strategy.
3.
React effectively in the event of a confidentiality incident despite the preventive measures put in place, allowing a rapid and adequate response.
4.
Demonstrate the company’s diligence in the protection of personal information, which demonstrates its commitment in the event of a confidentiality incident presenting a serious risk of harm.
Having an information governance program in place is critical to avoiding significant costs, protecting corporate reputation, and ensuring profitability. It effectively protects the organization and meets data security requirements. The governance plan is therefore an integral part of an effective cybersecurity strategy.
Our advice
1.
First, inquire
2.
Conduct a Privacy Impact Assessment
3.
Establish a governance plan
4.
Review the plan and your practices regularly
5.
Choose a partner to accompany you
French 
English 
Portuguese