Law 25, also known as An Act to modernize legislative provisions as regards the protection of personal information, contains new responsibilities for businesses.
What do you need to know about these new responsibilities and what do businesses have to do to comply? The experts at Nerd Marketing will give you all the details and some good practices that you should adopt now, to facilitate an efficient transition toward your new obligations.
The New Law: Provisions Effective as of September 2022
In accordance with the new provisions in force since September 22, 2022, businesses, regardless of their size, have to designate a person to ensure compliance with the law. Among other things, this person will have to ensure that the business’ policies and procedures comply with the law’s new provisions.
Even more importantly, all businesses will be required to maintain a register of the personal information they are responsible for, as well as a register of all personal information disclosures. These registers must be made available to the Commission d’accès à l’information du Québec (CAIQ), the organization appointed to ensure compliance with the law’s provisions, and who could make a request to check these registers.
If the confidentiality of personal information is compromised, the law states that the CAIQ can implement solutions to reduce the impact on personal information. In such a scenario, measures will have to be adopted to avoid the risk of any new incidents regarding personal information management within the business involved.
The New Law: As of September 2023
Taking effect in September 2023, new measures are planned to regulate the collection of personal information and the way this information can be used. The key change is the obligation to obtain the consent of people before collecting, using or disclosing their personal information. In addition to overseeing the protecting of personal information, businesses will also have to ensure its accuracy. Before disclosing personal information, an employee will have to obtain the consent of the person within the business that is responsible for compliance with the law.
The measures that will come into effect in September 2023 also concern the anonymization of data as well as the preservation period of personal information within the business. It will also be necessary to indicate how this information will be preserved during this period.
As already mentioned, the CAIQ will be responsible for the enforcement of the new provisions of Law 25. The Commission will be able to impose administrative penalties that can go up to $25,000 on businesses and organizations that do not comply with the privacy legislation.
In short, starting from September this year, you will need to implement measures to ensure the confidentiality of personal information within your business including any other personal information that is likely to have an impact on your clients.
The New Law: As of September 2024
As a person running a business, you will be required to “address data portability requests related to personal information.” To that end, your internal systems will have to:
- “Make it possible to communicate, at the request of the individual concerned, the digital personal information that has been collected about them, in a structured and commonly used technological format;
- Ensure this information can also be provided to an individual or an organization authorized by the Law to collect this information, at the request of the individual concerned.”[1]
To Sum Up
If you have not designated the appropriate person within your business for the management of personal information yet, as had to be done by September 22, 2022, you have to do it now.
Next, an action plan needs to be implemented in case of a confidentiality incident. This plan will have to clearly identify the measures to be taken in case of said incident.
For fall 2023, the inventory of personal information will have to be defined and this, by September 22, 2023, at the latest. Updating this inventory will also be an important part of the process and it will have to be done continuously.
Then, by September 22, 2024, the right to data portability related to personal information will also have to be part of your protection protocol for personal data.
In conclusion, all the members of your team, including, of course, the privacy officer, will have to contribute to the protection of personal data within the organization.
In addition to the information contained in this article, you will find useful details in the information pamphlet of the CAIQ. The experts at Nerd Marketing are closely monitoring the provisions that are affecting businesses all over Quebec. Trust your seasoned and highly qualified experts in the world of digital marketing.
[1] https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf (Translation)
