Schedule a demo
See how you can maintain an inventory of Law 25-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Provide evidence to auditors of steps taken to secure the confidentiality of customer information collected and protect it against threats and unauthorized access.
The Act to modernize legislative provisions as regards the protection of personal information, commonly known as Law 25, brings important modifications and modernization to laws that cover personal and sensitive information. The law was sanctioned by the Quebec National Assembly back in September 2021 and will have provisions coming into force in September 2022, September 2023 and September 2024. Law 25 aims to offer tighter control around individuals’ personal data and strengthens corporate obligations in terms of governance, transparency and compliance.
All organizations located in the province of Quebec, regardless of whether they are private or public, are required to follow the regulations outlined in Law 25. This applies to all types of organizations, from small startups to large enterprises, and includes any organization that handles, uses, or shares the personally identifiable information (PII) of its stakeholders. It is important for these organizations to ensure that they are in compliance with Law 25 in order to avoid potential consequences such as financial losses, damage to their reputation, and legal action.
Law 25 covers all personally identifiable information (PII) including sensitive data possessed by organizations in Quebec. Personal information is any information that can be used to identify an individual, such as a name, address, phone number, email address, or Social Security number. This can include demographic information, such as age, gender, race, or income level, as well as financial information, such as bank account numbers or credit card information.
Sensitive personal information is a subset of personal information that is particularly sensitive or private, and may be more vulnerable to misuse or abuse. Sensitive personal information requires additional protection and attention because it is more closely tied to an individual’s identity and may be more difficult to change or protect in the event of a data breach or other security incident.
Law 25 will give citizens more control over their personal information. The implementation of this law will require several actions over the next 36 months.
If an organization fails to adhere to the regulations outlined in Law 25, they may face a variety of negative consequences including financial losses, damage to their reputation, and legal actions. The Quebec Commission on Access to Information (CAI) has the power to impose penalties on any organization that is not in compliance with Law 25. These penalties can take the form of administrative sanctions, which can reach up to $10 million or 2% of business revenues, or legal sanctions, which can reach up to $25 million or 4% of business revenues.