By Jennifer Blanchette

Written in collaboration with our educational partner, Emeline Manson, founder of CY-Clic and cyberfraud lecturer at the École Polytechnique de Montréal

Effective September 22, 2022, all Quebec businesses must comply with a series of measures relating to the protection of personal information. These requirements stem from the Act to modernize legislative provisions as regards the protection of personal information, commonly known as Bill 25. Find out what are your new legal responsibilities, whether you are a solopreneur or an industry leader.

Largely inspired by the EU’s General Data Protection Regulation (GDPR), Bill 25 aims to allow citizens greater control over their personal information and to hold organizations more accountable in how they manage that information. Therefore, any individual or company that collects personal data becomes accountable for that information in the eyes of the law.

“This affects everybody!” says Emeline Manson, a fraud prevention and cybersecurity educator. “The focus for this year will be to demonstrate that we are striving to comply with the requirements of the Act.”

In order to allow businesses to gradually adapt to them, the new provisions of Bill 25 will come into effect in three stages – on the 22nd of September 2022, 2023 and 2024. 

Main obligations as of September 22, 2022

1. Designate a Privacy Officer

Everyone is presumed to know the law. This is even truer for business owners under Bill 25 as they are directly affected.

Indeed, private sector businesses are required to designate a person in charge of the protection of personal information (Privacy Officer). By default, this responsibility is assigned to the most senior person in the company. However, businesses may choose to delegate this role in writing to a member of their team or outsource it to a professional.

Once the Privacy Officer is appointed, it will be important to publish their title and contact information on the company’s website.

2. Keep a log of confidentiality incidents

First, you will need to understand and determine what constitutes a confidentiality incident. According to the Commission d’accès à l’information du Québec (CAI), a confidentiality incident is an unauthorized access, use, disclosure or even loss of someone’s personal information.

Afterwards, we suggest that you simply keep a log in an Excel file. Initially, your document will be blank, as you will not yet have experienced any incidents. Obviously, the goal is to keep it blank forever.

3. Report any confidentiality incidents

In the event that the confidentiality incident poses a serious risk of harm, you will be required to notify CAI and the individuals or organizations impacted. You will also have an obligation to take appropriate measures to reduce the risk of harm and to prevent similar incidents from occurring again.

See the information sheet (available in French only) on the CAI website for a complete list of your new responsibilities in matters pertaining to the protection of personal information.

Considerable thought should be given to 2023

“We can quickly cross off the list of things to implement for this year. However, considerable thought will need to be given to 2023,” warns Emeline Manson.

The Privacy Officer will have their work cut out for them,” she says, “because next year, they will be responsible for implementing the policies and practices for data governance. Among other things, the Privacy Officer will have to consider implementing a procedure for handling complaints, de-indexing data or managing employees access to data.

Creating policies is hard if you don’t know what you’re collecting,” Manson argues. That is why we recommend that businesses start thinking about this now, even though that obligation only takes effect in September 2023.

To help business owners navigate the process, here is a method to help you map out your data collection in three steps:

  • WHAT: what types of data is the company collecting?
  • WHERE: on what platforms is this data collected?
  • WHO: which employees have access to this data? HOW: how is access to this data controlled when an employee is hired or leaves?

If the task seems tedious, feel free to sequence it over time. Also be sure to keep pen and paper handy and write down your information as you go. The goal is to not “overdose” on privacy issues, but rather to stay on top of our privacy behaviours and practices.

And for 2024?

The main change will be addressing requests for portability of personal information. This means that the company will have an obligation to release to the individual the personal information that he or she had provided or to transfer it to another organization.

Despite being rolled out over a three-year period, the changes brought about by Bill 25 could discourage some business owners. But rest assured! This will all have a positive impact on your company.

By being mindful of improving your control over your clients’ personal information, you are demonstrating that you are trusted and reliable. Highlighting on your website your company’s efforts in improving confidentiality could help bolster your company’s reputation. 

Do not forget about cybersecurity

While you already have to upgrade your privacy procedures, why not extend this thinking to your company’s computer security? Contrary to what some people believe, upgrading to the standards required by Bill 25 is NOT a safeguard against the cyber incidents that threaten your digital platforms.

Weak passwords, inadequate backup methods, lack of employee training in cybersecurity… These are not addressed by the new legislation.

Allow us to adequately protect your systems from attack while you ensure that your customers’ personal data is protected.