Bill 25 modernizes the legislative provisions regarding the protection of personal information. Its purpose is to give users better control over their personal information.
To comply with the requirements of this bill, organizations must put in place several measures. The bill will gradually come into force in 3 phases spread over 3 years, from September 2022 to September 2024, in order to give organizations time to implement these major changes.
Let’s take a look at these 3 main steps together in order to clarify the aspects to cover for each of them and prepare you as well as possible!
Step 1: September 2022
For the month of September 2022, the following points must be covered by your organization:
- Identify a contact person responsible for the protection of personal information. The title and contact details of the person in charge must be published on the organization’s website, and/or accessible to those who so wish.
- Develop policies and practices governing the governance of personal information. Each organization will have to establish and implement a policy and practices to govern their governance with respect to personal information. These terms must be accessible to people who so wish via the website or other media.
- Create a privacy incident log and notification process. This register must list all incidents related to the confidentiality of data and be communicated to the Commission for access to information on request.
- Take inventory of the organization’s storage spaces and personal information
- Implement a training program on the protection of personal information
Step 2: September 2023
For the month of September 2023, here are the points that will have to be put in place:
- Update the policies and practices governing the data life cycle: retention, destruction, anonymization of personal information
- Develop a complaint handling process related to the protection of personal information
- Make public the key elements of governance governing the protection of personal information
- Develop a privacy impact assessment policy and process for the handling of personal information
- Develop a consent collection process to collect, hold, use or disclose personal information
- Set up a process to deindex
Step 3: September 2024
In September 2024 we are coming to the end of the Bill 25 process.
- Put in place measures facilitating the right to data portability.
If an individual asks you for access to their data, they must be able to access it in a simple and understandable format.
In short
Bill 25 comes with its share of changes and requires adaptations within your organization in order to comply with it. The fact that this Bill comes into force gradually is voluntary to allow each organization to validate step by step the process of the requirements in a progressive way.
This bill is not to be taken lightly, not complying with these rules could cost you dearly from a financial and penal point of view.
Would you like to benefit from support for compliance with Bill 25? Do not hesitate to contact our team for more information. Our experts will be able to support you in your process towards optimal compliance.