Share
Written By :
Published on April 1, 2025
Contrary to what many believe, Law 25 in respect of personal information also applies to SMEs. What are your obligations?
In Québec, any organization, including small and medium enterprises (SMEs), that collects, uses or keeps personal information must review its personal information management policy to ensure that it complies with Law 25.
How can you reach that goal? To be in compliance with the law, here are the detailed steps you should follow.
- Designate a person in charge of personal data protection
- Update your privacy policy and make it accessible to customers
- Obtain valid consent before collecting any data
- Adopt security measures
- Plan procedures to address various situations provided by the law
- Conduct a privacy impact assessment (PIA)
- Choose a commonly used technological format to communicate requested information
1 – Designate a person in charge of personal data protection
Each enterprise must designate a person in charge of ensuring compliance with the new regulations. By default, that person is the business owner, but it is common practice to assign this duty to an employee or consultant.
2 – Ensure transparency in data collection
Any enterprise collecting personal data must inform the concerned party, at the time of collection, of the following:
- Why is this data being collected (e.g., billing, opening a file, newsletter)?
- How is it being collected (e.g., online forms, in person)?
- What individual rights does the concerned party have (e.g., access, correction, withdrawal of consent)?
- Who may this information be disclosed to (e.g., suppliers, business partners, entities located outside Québec)?
If you use technology to identify, locate or profile users (e.g., Internet cookies, online tracking tools), your enterprise must first inform the concerned parties and offer them means to enable or disable such functionalities.
3 – Obtain consent
Those concerned by data collection must give clear consent before any data is collected, especially regarding elements listed in section 2.
For example, a contact form must include a checkbox to confirm that the person agrees to sensitive personal information being collected.
4 – Implement appropriate security measures
You must protect the data held by your enterprise, in particular against loss, unauthorized disclosures or cyberattacks, including:
- using secure passwords and updated software;
- encrypting sensitive data;
- establishing an internal access management policy.
5 – Implement procedures to manage requests and incidents
Law 25 requires enterprises to put clear procedures in place to manage various situations involving personal information. The main ones are as follows.
Access and correction requests
You must allow concerned parties to consult any data pertaining to them and request corrections, as needed.
Withdrawal of consent
You must also provide individuals with a simple means of withdrawing their consent to the use or disclosure of their personal information.
Handling complaints
You are required to put an internal process in place to handle complaints regarding the protection of personal information.
Privacy incidents
You must also document any data privacy incident (hacking, unintentional disclosure, etc.) and notify both the Commission d’accès à l’information du Québec and the concerned parties if there is a risk of serious harm.
6 – Conduct a privacy impact assessment (PIA)
You must conduct a PIA before disclosing personal information outside Quebec or starting a project that involves data collection, use or storage (e.g., acquiring new technology, developing or overhauling computer systems, delivering electronic services).
Such an exercise helps you to assess the risks related to the protection of personal information and adopt the right measures to ensure their security and compliance with Law 25.
For example, an SME that migrates its databases to a cloud computing service hosted in another country must first conduct a PIA to ensure that personal information will remain protected in accordance with Québec standards.
7 – Provide easy access to personal information
When a concerned party requests a copy of their personal information, your enterprise must provide it to them in a structured, open and commonly used format, so that it can be easily consulted and reused.
Formats adapted to portability, such as CSV, XML, JSON (open formats readable by different systems).
Formats that should be avoided: PDF, images (JPEG, PNG) or any format that requires proprietary software or a paid licence.
By following these steps, you will be able to comply with most of the criteria relating to Law 25. You should prepare your SME now. Adopting modern and secure practices kills two birds with one stone. You will both avoid any sanctions and make your business more reliable and attractive, by keeping pace with the market. Don’t delay complying with the law!
Do you need assistance? Contact an expert in protection of personal information who can help you assess whether your enterprise is in compliance.
This was written in collaboration with Sabrina Roy, Senior Consultant in Information Governance and Privacy at Raymond Chabot Grant Thornton.