Law 25 is not just for large enterprises: every organization that collects personal information in Québec is subject to it — including your SMB, non-profit or union. Here is what matters, without the legal jargon.
What the law actually requires
1. A designated privacy officer
By default, it is the person with the highest authority (your CEO or executive director). The responsibility can be delegated in writing, and the officer’s title and contact information must be published on your website.
2. Knowing what you hold
You must be able to answer these questions: what personal information do you hold (clients, employees, members)? Where is it stored? Who has access? How long do you keep it? This is the data mapping exercise — and it is almost always the first surprise: you hold more than you think.
3. Published policies
A clear privacy policy, retention and destruction rules, and a process to answer access or rectification requests.
4. Incident management
Every privacy incident (loss, theft, unauthorized access) must be recorded in a register. If it presents a risk of serious harm, you must notify the Commission d’accès à l’information and the affected individuals.
The three most common mistakes
- Treating it as a legal-only project. Half the work is technical: encryption, access control, logging, secure destruction.
- Doing everything at once. Sustainable compliance is built by priority: start with data mapping and the controls that reduce the most risk.
- Forgetting your vendors. If a subcontractor processes information on your behalf, a contract must govern that exchange.
Where to start
A gap assessment usually takes two to three weeks and gives you a prioritized list: what is urgent, what can wait, and what is already compliant. That is exactly the kind of guidance we provide — in collaboration with your legal counsel for questions of law.
Key takeaway: fines can reach $10M or 2% of worldwide revenue, but the real risk is losing your clients’ trust. Compliance is a competitive advantage, not a chore.