Have you implemented Law 25?
Do not wait to get compliant and avoid expensive penalities
Have you implemented Law 25 requirements?
Do not wait to get compliant and avoid expensive penalities
We ensure your organization compliance with Law 25 at every step of its enforcement:
Phase
1
IMPLEMENT
Appoint a Privacy Officer and report privacy incidents
Deadline September 2022
Phase
2
GOVERN
Adopt privacy information
governance and security
policies
Deadline September 2023
Phase
3
OPERATE
Fully comply with law
and provide requirements
on demand
Deadline September 2024
What is the Law 25?
The Modernization of Personal Information Protection Legislation Act, also known as the Law 25, aims to protect the Quebec population by making companies accountable for the personal information they hold. The Law is enforced in 3 different phases:
2022 – Every organizations in Quebec must have Private Officer appointet, collect and report any privacy incident to the “Comission d’accès à l’information du Québec (CAI)”.
2023 – Organizations must adopt governance and privacy policies.
2024 – Organizations must be ready to provide the information on demand, either by the government or any person whose data is collected by the organization.
How to comply in 3 phases?
We help you take actions to apply each legal requirements:
Phase 1
Phase 2
Phase 3
We will train your Privacy Officer on his/her responsibilities.
We analyse your environment and implement the requirement for Law 25
phase 1 :
– Data identification and classification
– Cybersecurity risk assessment and recommendations
– Procedure for managing confidentiality personal data incidents
– Process and report to declare any incident to the Commission d’Accès à l’Information and the person involved
Services
Governance
– Creation of internal policies
– Definition of employee roles
– Complaint management
procedures
– Compliance evaluation of
third parties
– Data protection measures
– Privacy framework
Privacy Impact Assessments (PIA)
– Before acquiring, developing, or
redesigning information systems
– Prior to executing electronic services
using personal data
– Before disclosing information
outside Quebec
Clear and explicit consent:
– Defined purposes for personal
information collection
– Written consent
– Clear communication of
individuals’ rights
– Disclosure of third parties
involved
Complying with data portability means:
– Having a structured and commonly used technological format to inform individuals on their data upon request
– Faciliating the transfer of such information to authorized organizations upon individual’s request (e.g., when changing service providers)
Phase 1
We will train your Privacy Officer on his/her responsibilities.
We analyse your environment and implement the requirement for Law 25
phase 1 :
– Data identification and classification
– Cybersecurity risk assessment and recommendations
– Procedure for managing confidentiality personal data incidents
– Process and report to declare any incident to the Commission d’Accès à
l’Information and the person involved
Phase 2
Governance services:
– Creation of internal policies
– Definition of employee roles
– Complaint management
procedures
– Compliance evaluation of
third parties
– Data protection measures
– Privacy framework
Privacy Impact Assessments (PIA)
– Before acquiring, developing, or
redesigning information systems
– Prior to executing electronic services
using personal data
– Before disclosing information
outside Quebec
Clear and explicit consent:
– Defined purposes for personal
information collection
– Written consent
– Clear communication of
individuals’ rights
– Disclosure of third parties
involved
Phase 3
Complying with data portability means:
– Having a structured and commonly used technological format to inform individuals on their
data upon request
– Faciliating the transfer of such information to authorized organizations upon individual’s
request (e.g., when changing service providers)
How is it beneficial for you?
Comply with the Law 25 will help you:
Avoid
penalties
Fines range from $15,000 to $25,000,000 CAD, or 4% of worldwide the worldwide revenue.
Protect your
reputation
Safeguarding customer data fosters trust, and mitigates potential data breaches and its consequences
Lower cyber
attacks
Security,measures, regular vulnerability assessments, and employee training will significantly strengthen your cybersecurity defenses
Complying with the Law 25
is mandatory
Do you need support?
Want to know more about Law 25?
English 
French