Drive Law 25 sensitive data compliance

Sep 20, 2023

Drive Law 25 sensitive data compliance

Law 25 Overview

Law 25

The Act to modernize legislative provisions as regards the protection of personal information, commonly known as Law 25, brings important modifications and modernization to laws that cover personal and sensitive information. The law was sanctioned by the Quebec National Assembly back in September 2021 and will have provisions coming into force in September 2022, September 2023 and September 2024. Law 25 aims to offer tighter control around individuals’ personal data and strengthens corporate obligations in terms of governance, transparency and compliance.

Businesses impacted

All organizations located in the province of Quebec, regardless of whether they are private or public, are required to follow the regulations outlined in Law 25. This applies to all types of organizations, from small startups to large enterprises, and includes any organization that handles, uses, or shares the personally identifiable information (PII) of its stakeholders. It is important for these organizations to ensure that they are in compliance with Law 25 in order to avoid potential consequences such as financial losses, damage to their reputation, and legal action.

Data types covered

Law 25 covers all personally identifiable information (PII) including sensitive data possessed by organizations in Quebec. Personal information is any information that can be used to identify an individual, such as a name, address, phone number, email address, or Social Security number. This can include demographic information, such as age, gender, race, or income level, as well as financial information, such as bank account numbers or credit card information.

Sensitive personal information is a subset of personal information that is particularly sensitive or private, and may be more vulnerable to misuse or abuse. Sensitive personal information requires additional protection and attention because it is more closely tied to an individual’s identity and may be more difficult to change or protect in the event of a data breach or other security incident.

Compliance requirements

Law 25 will give citizens more control over their personal information. The implementation of this law will require several actions over the next 36 months.

September 2022

Designate a Privacy Officer
Create or update policies and practices governing the governance of personal information
Implement a privacy incident log and notification process
Have an inventory of the organization’s personal information
Implement a privacy training program

September 2023

Update policies and practices for the retention, destruction and de-identification of personal information
Implement a privacy complaint process
Publish policies and procedures governing the governance of personal information on the organization’s website
Introduce a Privacy Impact Assessment (PIA) policy and process
Implement a process for obtaining consent to collect, hold, use or disclose personal information
Establish a process for destroying or de-identifying and implementing the right to be forgotten throughout the life cycle of that information

September 2024

Implement measures to facilitate the right to data portability

Enforcement and penalties

If an organization fails to adhere to the regulations outlined in Law 25, they may face a variety of negative consequences including financial losses, damage to their reputation, and legal actions. The Quebec Commission on Access to Information (CAI) has the power to impose penalties on any organization that is not in compliance with Law 25. These penalties can take the form of administrative sanctions, which can reach up to $10 million or 2% of business revenues, or legal sanctions, which can reach up to $25 million or 4% of business revenues.

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.