Bill 25 aims to strengthen the rights of individuals regarding the protection of personal information. It requires companies to put in place the policies and processes necessary to achieve this objective. In addition to this law, personal information is defined as information that allows a natural person, customer or employee, to be identified, directly or indirectly.

 

What is compliance with Bill 25?

 

Compliance with Law 25 does not concern technological aspects. It only affects the policies and processes to be put in place. It is once these are implemented that companies will be able, with their IT partner, to determine what solutions and tools will be necessary to guarantee this confidentiality and manage it. However, throughout the workshops, we will share best practices in this area with you.

​

What businesses need to do to comply now

 

• Designate a person responsible for the protection of personal information;

• Establish and publish a policy for the management of personal information;

• Put in place the necessary mechanisms to obtain consent for the collection, use and communication of personal information;

• Create a personal information registry and forms necessary to respond to and document requests for access, correction and de-indexing from customers and employees

• Establish the process for determining whether a privacy incident has occurred and how to manage it;

• Create and maintain an incident log as well as the procedure for informing the parties concerned in the event of a breach of confidentiality.

• Have a privacy factor assessment (PIA) process in place for any project to acquire, develop and redesign an information system or electronic delivery of services involving personal information or before communicating personal information outside Quebec;

• Additionally have a data portability process.

 

Our 4-step approach to achieving compliance

 

1. Overview of Law 25, identification of personal information that concerns you and analysis of the current position in terms of information security;

2. Development of your protection policy adapted to your business context;

3. Preparation of forms and adjustments to processes and procedures;

4. Training for implementation, compliance management, processes and procedures.

 

 

Our deliverables

 

• Template for inventorying personal information;

• Policy for the protection of personal information;

• Preparation of the required forms (between 10 and 15 depending on the company’s activities);

• Policy for the retention, destruction and anonymization of personal information;

• Processes and procedures for managing confidentiality incidents;

• Processes and procedures for access requests;

• Processes and procedures for handling complaints;

• Processes and procedures for deletion and deindexing;

• Privacy Impact Assessment Process (PIA);

• Data portability process

• Recommended best practices and tools for ensuring privacy and managing compliance.

 

Depending on the availability of your team members involved, the process can be completed in 4 weeks.