The hot IT topics in the business world in 2023

The main step of Bill 25 about the protection of personal information

Bill 25 modernizes the legislative provisions regarding the protection of personal information. Its purpose is to give users better control over their personal information.
To comply with the requirements of this bill, organizations must put in place several measures. The bill will gradually come into force in 3 phases spread over 3 years, from September 2022 to September 2024, in order to give organizations time to implement these major changes.
Let’s take a look at these 3 main steps together in order to clarify the aspects to cover for each of them and prepare you as well as possible!

Step 1: September 2022 

For the month of September 2022, the following points must be covered by your organization:

  • Identify a contact person responsible for the protection of personal information. The title and contact details of the person in charge must be published on the organization’s website, and/or accessible to those who so wish.
  • Develop policies and practices governing the governance of personal information. Each organization will have to establish and implement a policy and practices to govern their governance with respect to personal information. These terms must be accessible to people who so wish via the website or other media.
  • Create a privacy incident log and notification process. This register must list all incidents related to the confidentiality of data and be communicated to the Commission for access to information on request.
  • Take inventory of the organization’s storage spaces and personal information
  • Implement a training program on the protection of personal information

Step 2: September 2023

For the month of September 2023, here are the points that will have to be put in place:

  • Update the policies and practices governing the data life cycle: retention, destruction, anonymization of personal information
  • Develop a complaint handling process related to the protection of personal information
  • Make public the key elements of governance governing the protection of personal information
  • Develop a privacy impact assessment policy and process for the handling of personal information
  • Develop a consent collection process to collect, hold, use or disclose personal information
  • Set up a process to deindex

Step 3: September 2024

In September 2024 we are coming to the end of the Bill 25 process.

  • Put in place measures facilitating the right to data portability.
    If an individual asks you for access to their data, they must be able to access it in a simple and understandable format.

In short

Bill 25 comes with its share of changes and requires adaptations within your organization in order to comply with it. The fact that this Bill comes into force gradually is voluntary to allow each organization to validate step by step the process of the requirements in a progressive way.

This bill is not to be taken lightly, not complying with these rules could cost you dearly from a financial and penal point of view.

Would you like to benefit from support for compliance with Bill 25? Do not hesitate to contact our team for more information. Our experts will be able to support you in your process towards optimal compliance.

Share article:

This might interest you...


How M365 tools can help with data protection

Microsoft 365 (M365) offers many security tools and features that help protect user data. Since the implementation of Law 25 in Quebec on the protection


How a Penetration Test Works

A cybersecurity penetration test, also known as a penetration test or “pentest”, is a process used to assess the security of a computer system, network

Subscribe to our newsletter

Soyez informé des prochains webinaires, des nouveaux services et des contenus d’intérêt.

Follow us