Are you compliant?

* This article has been translated with a translation tool. 

With the new requirements of Law 25 just coming into force, La Presse reports that a analysis of actual SME practices shows that only 3% have actually implemented all the practices required for compliance.

On September 22, phase 2 of legislation 25 came into force. This reform modernizes the provisions governing the protection of personal information so that they are better adapted to the challenges of today's digital environment. This amendment applies to all companies and organizations.

As you will recall, by September 2022, companies already had to meet certain obligations, such as:

  • Designate a person responsible for the protection of personal information
  • Report any serious incident to the Commission and to the person concerned
  • Take steps to reduce the damage caused to the people concerned
  • Keep a record of all incidents
  • Etc.

In the fall of 2023, new responsibilities were added, mainly:

  • Establish policies for the governance of personal information
  • Respecting the new rules of consent
  • Destroy or anonymize personal information once its purpose has been achieved
  • Comply with new obligations regarding transparency and use of personal information
  • Comply with new rules governing the disclosure of personal information outside Quebec
  • Set parameters to ensure confidentiality
  • Etc.

The Commission d'accès à l'information du Québec has published a reminder . It sets out the new responsibilities of companies, their courses of action and some best practices. For its part, the Quebec government has illustrated the new provisions in a timeline (from which Law 25 is derived) to help with compliance planning. Other guide publications are also available on the Web, as are professional support services for companies needing to meet the requirements of these new regulations. 

And you, are you compliant?

On your mark, get set, go!

The Ovation team