Subscribe to our blog to stay up-to-date.

What Québec’s New Law 25 Means For Your Business
Mon Oct 03, 2022 | jean-francois roberge
Are you sure you know the implications on your organization since the passing of Law 25 in Québec?
Previously under the name Bill 64, Law 25 makes several significant changes. While the initial intentions and integrity of the bill have been maintained, with the focus being the protection and privacy of personal information, the new law will significantly affect businesses' daily procedures.
What is Law 25?
As of September 22nd, 2022, all businesses in Québec are now under legal obligations under Law 25. This was first introduced as Bill 64, which was enacted on September 22, 2021, but has now had changes made under its new title, Law 25.
Important Changes That Are Now in Place Under Law 25 Include:
-
Organizations are required to inform individuals whose personal information has been compromised about the incident and its circumstances.
-
Organizations must also provide verbal or written notification to the Commission d’accès à l’information du Québec (CAI) should they suspect an incident puts an individual at risk or if there’s threat of serious injury to an individual as a result of an incident.
-
Organizations doing business in Québec are required to create and maintain a “register of confidentiality incidents” for at least five years following the incident.
Businesses who fail to meet these new legal obligations could face penalties, including fines of up to $25 million (Les Affaires).
Law 25 is meant to bring peace-of-mind to citizens that their private information isn’t being mistreated or placed in the direct path of danger by organizations. This change is likely to set the standard for other Canadian provinces to enact similar laws, and for governments to adapt to “today’s technological reality” (IT World Canada).
Law 25 will be introduced gradually over the next three years, with two more sets of obligations set to roll out in September of 2023 and 2024.
A Reminder on Some of the Necessary Measures Previously in Place:
Going forward, businesses will be expected to comply with Québec’s new legal obligations, while also continuing to follow the prior regulations as well.
Prior regulations include:
-
All organizations must respond to requests for access to personal information. If the organization refuses, there must be justification given, as well as information provided to the requester on the appeals processes available to them through the commission d’accès à l’information du Québec.
-
All persons must be informed by the organization about the collection of their personal information, the purpose of the collection, how the information will be used, and who will have access to it.
-
All organizations are required to have proper safety measures in place that will protect any personal information gathered.
-
All organizations are required to ensure persons they work with outside the province are equally as careful with how they manage private information.
Along with the above stated protocols, organizations will need to make internal adjustments to meet the new requirements. These changes will directly impact the day-to-day operations of a business, but if plans are put in place properly then the transition should be seamless.
Choosing A Privacy Officer:
Each new change in place under Law 25 is meant to strengthen previously implemented safety measures, introducing new layers that will better safeguard private information. Some of the new measures have already taken effect, such as Presidents being automatically designated as the one responsible for the protection of private information within their organization.

The first step your team should take is reviewing their internal processes and deciding who should be their designated “Privacy Officer” (Les Affaires). The President must decide to designate someone if they don’t wish to hold that position automatically given to them. To transfer this over, written notice must be given to the newly appointed privacy officer.
Privacy Officers Are Responsible For:
-
Overseeing the private information that is shared and obtained within an organization.
-
Understanding how private information should be handled, communicated, and what kinds of information their organization deals with.
-
Knowing who should have access to what information.
-
Creating policies/practices surrounding the sharing, storing, or disposal of private information.
The privacy officer will be the point of contact within your organization for people to report incidents, concerns, or ask questions surrounding private information. Working with the President or other key members of the team, the privacy officer will also have to decide the definition of an “incident” within their organization.
Privacy officers should also work with their team to understand what potential threats they face and how they can reduce risks. This will help the privacy officer later determine if a concern presented to them falls under the “incident” category or not.
Recording Privacy Incidents:
Once your team has chosen a privacy officer and decided what an “incident” means for your organization, the next step will be to keep an accurate ledger on said incidents.
Under Law 25, all organizations are required to keep a record on all privacy incidents. To help keep this record accurate and up-to-date, teams should be educated on what threats are, what an “incident” is, and the steps for contacting the privacy officer about their concerns.
Teach Your Team How to Spot Potential Threats:
Your team should understand what threats they currently face, such as password attacks and phishing attacks. Cybersecurity awareness seminars held by your internal IT team or by a knowledgeable and trusted source will keep your team appraised on the latest threats.
Everyone on your team should be able to spot looming threats and know how to report them to the appropriate personnel. Since organizations deal with several layers of private information (ex: client, company, and partners), ensuring your team has a strong understanding about cybersecurity awareness like this will help you keep data safe.
Have Solid Layers of Defence in Place:
Now that your team knows what a threat looks like and you have an appointed privacy officer in place, you should also be examining your preparedness for incidents. Law 25 requires that organizations have proper defences in place, such as antivirus software, trained IT teams, and thoughtful plans for dealing with incidents after the fact. Organizations should then be reviewing their current processes and finding ways to strengthen them.
Managed IT
One way your team can strengthen their current security measures to meet Law 25’s requirements is to look into managed IT services. Most organizations likely have their own antivirus software available and downloaded on their team’s computers. But this might not be enough to protect against threats and keep incidents from happening.
To go the extra mile in protecting your organization’s private information, you should consider hiring a managed IT team. These teams are specially trained on how to identify threats and prevent the theft of your company’s private data. Many managed IT teams, such as ours at XMA, provide 24/7 infrastructure monitoring and preventative maintenance for your server.
Disaster Preparedness
While it’s important to have all of the above stated measures in place, one of the best things you can do is prepare your team for potential disaster. The point of Law 25 is to minimize incidents while also ensuring organizations are prepared to act should an incident occur. One of the best things you can do is create a disaster recovery plan.
Disaster recovery plans can help you recover your data quicker, reduce the interruptions caused by potential incidents, and prepare your team to act fast should an incident occur.
In your disaster recovery plan, your team should also have a section about your disclosure obligations. Law 25 requires that organizations report incidents to the commission d’accès à l’information du Québec (CAI). It also requires that any affected parties of an incident also be contacted if there’s a serious risk of harm present.

Your team should work out the specifics of reporting incidents in their disaster preparedness plan. This will include knowing when private information breaches are serious enough for concern, who will be in charge of assessing the threat level, and at what point you will need to contact affected parties.
It’s recommended that teams have a severity scale in place, which you can use to measure threats more accurately. Your scale should look at things such as the “volume of sensitive information compromised, nature of the information compromised, and the actors involved in the incident” (Les Affaires).
Having a severity scale along with a proper disaster recovery plan will help your team bounce back faster from incidents and decrease stress associated with reporting an incident to the CAI.
Is Your Team Ready?
Now that you better understand Law 25 and what your team can expect under its new regulations, it’s time to implement change in your business. Protecting private information is important not only for your clients, but also for your organization. Failing to properly follow these new requirements could mean facing serious penalties.
To keep your team, clients, and partners safe make sure you understand how Law 25 impacts day-to-day functions for your organization.
Wondering how you can make the necessary changes to follow the new rules under Law 25?
Learn what resources are available to you through XMA.
