The Law 25, more precisely named the Law modernizing legislative provisions on the protection of personal information, entails new responsibilities for businesses.
What do we need to know about these new responsibilities, and what must businesses do to comply? The experts at Nerd Marketing provide you with details and some best practices to adopt right away to facilitate an efficient transition to your new obligations.
The new law: since September 2022
Under the new provisions in effect since September 22, 2022, businesses, regardless of their size, must designate a responsible person within the team to ensure compliance with this law. This person must, among other things, ensure that the company’s policies and procedures comply with the provisions of the Law.
Even more fundamentally, all companies will be required to keep a register of personal information for which they are responsible, as well as a register of all disclosures of this information. These registers must be made available to the Commission d’accès à l’information du Québec (CAIQ), which may request them as it is the body mandated to ensure compliance with the provisions of the law.
If the confidentiality of personal information is compromised, the law provides that the CAIQ is authorized to implement solutions to reduce the impact on personal information. In such a case, measures must be taken to prevent any risk of recurrence regarding the management of personal information within the targeted company.
The new law: starting from September 2023
Starting from September 22, 2023, new measures are planned to regulate the collection of personal information and how it is used. The main novelty concerns the obligation to obtain the consent of individuals before collecting, using, or disclosing their personal information. Companies will also need to ensure the accuracy of this information and protect it. Before disclosing personal information, the person responsible for law compliance must obtain the consent of the employee in question.
The measures that will come into effect in September 2023 also address data anonymization and the period of their retention within the company. It will also be necessary to indicate how the information will be retained during this entire period.
As mentioned earlier, the CAIQ will be responsible for enforcing the new provisions of Law 25. The Commission may impose administrative penalties of up to $25,000 on companies and other organizations that violate the legislation.
In short, as of September this year, you will need to implement measures to ensure the confidentiality of personal information of your resources within the company or any other personal information that may affect your clients.
The new law: starting from September 2024
As a business operator, you will need to “respond to requests for the portability of personal information.” To do this, your internal systems must:
- “Allow, at the request of a data subject, for the communication of computerized personal information collected from that individual in a structured, commonly used, and technologically interoperable format;
- This communication can also be made to a person or organization authorized by the Law to collect the information, at the request of the data subject.”
To summarize
If you have not yet identified the resource within your company for managing personal information as required on September 22, 2022, you must do so promptly.
Next, an action plan must be put in place in case of a breach of the confidentiality of personal information. This plan should clearly identify the steps to be taken in the event of a breach of such information.
By no later than September 22, 2023, the inventory of personal information must be defined. Updating this inventory will also be important and should be done continuously.
By no later than September 22, 2024, the right to the portability of personal information must also be part of your personal information and data protection processes.
In conclusion, all members of your team, including, of course, the responsible person, must contribute to the protection of personal data within the organization.
In addition to the information contained in this article, you will find useful information in the explanatory leaflet of the CAIQ. The experts at Nerd Marketing closely monitor the provisions that affect businesses throughout Quebec. Trust experienced and seasoned professionals in the world of digital marketing.
[1]https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf