The protection of personal information has become an absolute priority for Quebec businesses. Law 25 is a law modernizing legislative provisions on the protection of personal information. Coming into force on September 22, 2022, it marks a major turning point in the way organizations must manage and protect sensitive data.
Solulan, your trusted IT services and cybersecurity partner, supports you in this crucial transition to Law 25 compliance. Discover our complete guide to understanding the challenges of this law and implementing the necessary measures to ensure the protection of personal information within your organization.
What is Law 25 in Quebec?
Law 25 aims to strengthen the protection of personal information in Quebec by introducing stricter provisions and extending the rights of individuals.
It applies to all private companies and public bodies that collect, use or communicate personal information. Specific new obligations are imposed to ensure compliance with Law 25, guaranteeing that companies and public bodies adequately protect the personal data they manage. This enables more secure and transparent management of sensitive information, while complying with the new legal requirements for the protection of personal information.
Informed consent and greater rights
One of the major changes concerns consent. Companies must now obtain explicit, informed consent before collecting, using or disclosing personal information. In addition, Law 25 grants individuals new rights, such as the right to data portability and, in certain circumstances, the right to forget or destroy personal information.
Mandatory notification of security breaches
Law 25 also requires companies to notify the Commission d'accès à l'information (CAI) and the individuals concerned in the event of a confidentiality incident involving personal information. This measure is designed to ensure greater transparency and enable individuals to take the necessary action to protect their interests.
Tougher penalties
Failure to comply with Law 25 can result in significant financial penalties, up to $10 million or 2% of worldwide sales, whichever is greater. These enhanced penalties underline the importance of compliance and encourage companies to take data protection seriously.
Key steps for compliance with Law 25 in Quebec
Compliance with Law 25 is a process that requires careful planning and a proactive approach.
As a reminder, here are the key dates for compliance with Law 25:
- September 22, 2022: Law 25 comes into force.
- September 22, 2023: Deadline for implementation of initial compliance measures.
- September 22, 2024: Deadline for full compliance.
Appointment of a data controller and data mapping
The first step is to appoint a Chief Privacy Officer (CPO). This person will be responsible for overseeing the implementation of and compliance with Law 25 within your company. In particular, the RPRP will have to carry out a privacy impact assessment for any communication of personal information outside Quebec.
Next, it's essential to map data flows, i.e. to identify all the personal information you collect, use and communicate, as well as the reasons why you do so.
Updating policies and procedures
Once your data flows have been mapped, it's time to update your internal policies and procedures. Your privacy policies, consent forms and data management procedures must comply with the law and the new requirements of Law 25.
Data security and staff training about Law 25
Protecting personal information involves implementing appropriate cybersecurity measures. It is essential to protect data against unauthorized access, use, disclosure, loss or theft.
In addition, it is essential that your staff receive training on Law 25 throughout their careers. Your employees involved in electronic service delivery, must be made aware of the importance of protecting personal information and the new obligations of Law 25.
Quebec’s Law 25 and cybersecurity: An integrated approach
Law 25 and cybersecurity are intrinsically linked. Personal information cannot be protected without robust cybersecurity. An integrated approach is essential to ensure that all the necessary security measures are in place to protect sensitive data.
Risk assessment and incident response plan
A risk assessment is a crucial step in identifying potential vulnerabilities within your systems. This assessment identifies weak points that could be exploited in a cyberattack. Once these vulnerabilities have been identified, you can implement corrective measures to strengthen the security of your company's data.
An incident response plan is equally important. This plan must include clear procedures for reacting quickly and effectively in the event of a security breach. It should define the steps to be taken to contain the incident, minimize damage and restore affected systems. In addition, the plan must provide for communications with internal and external stakeholders, including notification to the Information Access Commission and affected individuals.
Cybersecurity awareness
Raising awareness and training your employees is essential to maintaining a high level of IT security. It's vital that employees receive training in Law 25 in addition to cybersecurity best practices, and are made aware of the risks associated with hacking. Regular training ensures that all staff members understand the importance of protecting personal information and know how to react in the event of an attempted cyber-attack.
In addition to initial training, phishing awareness sessions and other types of cyber attack should be organized to maintain a high level of vigilance. These sessions can include simulated attacks, updates on new threats and reminders of corporate security policies. By cultivating a culture of security, you reduce the risk of human error compromising data security.
Discover our cybersecurity services
Solulan: Your partner for successful compliance with Law 25 in Quebec
Solulan, with its expertise in IT and cybersecurity, is with you every step of the way to ensure compliance with Law 25. We offer personalized advice, technical expertise and proactive monitoring to help you protect your data and ensure your company's compliance.
Contact us today and find out how we can help you meet the challenges of Law 25 and strengthen the protection of personal information within your organization!
Register to our webinar HERE
