Skip to content
All posts

Bill 25: Where Do I Start?

Picture of Karine Simard By  Karine Simard  ·  1 minute read

Law 25, concerning the protection of personal information, has been in effect since 2021 and will be fully applicable as of September 2024. For an organization, Law 25 has impacts at various levels and processes, whether it concerns employee, client, or supplier information.

But with a website or an online application, where do I start? Great question!

Updating a website is not necessarily a frequent activity for all organizations, and it can be challenging to navigate. At Ciao, we like to start with a Privacy Risk Factor Assessment (PRFA), a simple table that guides our thinking about data security in the relevant system:

  • The nature of the data in the system
  • Access to the system
  • Technological infrastructures
  • Consent from individuals whose data is in the system
  • Privacy policy

The PRFA is a valuable guide for exploring the different facets of data protection and engaging in practices that not only safeguard the company’s data but also the company itself. We all know of a business that has fallen victim to data theft. Whether small or large, your organization and its clients deserve protection.

In Quebec, we are committed to obtaining consent from our visitors, users, and clients when they share their personal data with us. Protecting data confidentiality in a web application is essential to maintaining user trust.

Want to learn more? Tell us about your project!

Bill 25: An Overview

Law 25, adopted in Quebec in September 2021, reforms legislation on the protection of personal information by modernizing the rules applicable to businesses and public organizations.

Objectives

  • Strengthen the protection of personal information to address the challenges of new technologies and digital practices.
  • Increase transparency and accountability of organizations in managing personal data.

Key Measures

  • Data Protection Officer: Each organization must designate a person responsible for data protection (often the leader or a delegated individual).
  • Clear Consent Requirement: Businesses must obtain explicit, free, and informed consent to collect, use, or disclose personal information.
  • Transparency: Obligation to inform individuals about the reasons for collecting, using, and disclosing data.
  • Confidentiality: Privacy policies must be easily accessible and understandable.
  • Data Portability: Individuals have the right to request a copy of their personal information in a structured and readable technological format.
  • Impact of Technologies: Obligation to conduct a privacy impact assessment before implementing projects involving personal information, especially for technologies like artificial intelligence.
  • Incident Notification: Organizations must report any confidentiality incident posing a serious risk of harm to the Commission d'accès à l'information (CAI) and affected individuals.
  • Severe Penalties for Non-Compliance: Up to 50,000 for individuals; up to 25 million or 4% of global revenue for businesses.

Want to learn more? Tell us about your project!