For your specific needs

Law 25 Compliance

Companies doing business in Quebec must take specific actions to comply with the obligations of Law 25 regarding the protection of personal information.

Don’t know where to start? I can help you.

Law 25, which made sweeping amendments to the Act respecting the protection of personal information in the private sector, applies to any person who operates a business in Quebec, whether for profit or not. The new obligations spread over 3 years are now all in force since September 22, 2024. Law 25 provides for administrative and criminal sanctions in the event of non-compliance which can amount to $25 million or 4% of global turnover.

If you don’t know where to start your compliance, my turnkey service offer is for you!

Phase 1

Your obligations since September 22, 2022

Privacy Officer

Appoint a Privacy Officer and publish his/her contact information on the organization’s website (s. 3.1)

Becoming familiar with Law 25

Provide a PowerPoint presentation and conduct a 60-minute training session on Law 25 via Teams (training for the organization’s management team and Privacy Officer)

Appoint a Privacy Officer (PO) and publish its title and contact details on the organization’s website

Provide a draft delegation of authority and revise the final document and the text published on the organization’s website

Understand the legal obligations of the PO

Provide a list of the PO’s legal obligations and explain them

Confidentiality Incidents

Reduce the risk of harm, disclose confidentiality incidents presenting a risk of serious harm to the CAI and the persons concerned, and maintain a register of incidents (s. 3.5 to 3.8)

Adopt a procedure for managing confidentiality incidents involving a personal information (PI)

Provide a template procedure for managing confidentiality incidents involving a PI, tailor it to the client and explain the content

Establish a confidentiality incident register

Provide a confidentiality register template and explain the methodology to complete it

Develop an assessment grid to determine if the confidentiality incident poses a risk of serious harm

Provide an Excel grid to assess the risk of serious harm from a confidentiality incident and explain the methodology to complete it

Phase 2

Your obligations since September 22, 2023

Governance Policies and Practices

Adopt governance policies and practices regarding PI and publish detailed information on this subject on the organization’s website (s. 3.2)

Conduct an inventory of the PI collected, used, disclosed, retained and destroyed by the organization and the security measures in place

Provide a PI register template in Excel format and explain the methodology to complete it

Analyse the results of the PI inventory

Comment on the results of the inventory and make recommendations for actions to be taken to ensure compliance

Develop a PI governance program

Provide an overview of the PI governance program to be implemented, tailor it to the client and explain it

Adopt a PI protection policy for employees

Provide a PI protection policy template, tailor it to the client and explain it

Adopt a directive on the collection, use and disclosure of PI for employees

Provide a template directive on the collection, use and disclosure of PI, tailor it to the client and explain it

Adopt a directive on the retention and destruction of PI for employees

Provide a template directive on the retention and destruction of PI (including a retention calendar), tailor it to the client and explain it

Adopt a directive on PI physical, technical and organisational security measures for employees

Provide a template directive on PI physical, technical and organisational security measures (including a Security Program), tailor it to the client and explain it

Adopt a procedure for handling PI requests and complaints

Provide a template procedure for handling requests and complaints relating to PI, tailor it to the client and explain it

Publish a privacy policy in plain language for PI collected via the organization’s website

Provide a website privacy policy template, tailor it to the client and explain it

Publish a summary of PI governance policies and practices on the organization’s website

Draft the summary of policies and practices to be published on the website

Review organization’s PI collection forms to make them compliant

Provide a draftprivacy policy for employees’ PI, tailor it to the client and explain it
Makerecommendations to modify the collection forms from customers and unincorporated suppliers

Train and raise awareness among employees on the protection of PI

Provide a PowerPoint presentation and conduct a 60-minute training session on the protection of PI via Teams

Disclosure of PI to a Third Party

Enter into a written agreement for the processing of PI by a third party or the transfer of PI outside Quebec (s. 18.3 and 17)

Draft an appendix to a service agreement to ensure the protection of PI disclosed to a third party

Provide a contractual appendix template (French and English) and explain it

Draft a data processing agreement for PI processed by a third party

Provide a data processing agreement (French and English), tailor it to the client and explain it

Privacy Impact Assessment

Conduct a Privacy Impact Assessment (PIA) for certain projects involving PI and for the transfer of PI outside Quebec (s. 3.3, 17 and 21)

Develop a Privacy Impact Assessment grid and report template

Provide aPIA guide, gridand template report in Excel format and explain the methodology
Provide a PowerPointpresentation and conduct a 60-minute training session on PIA via Teams