Be Prepared. Be Compliant. What You Need to Know About Quebec Law 25

In June 2021, Quebec’s National Assembly passed Bill 64, also known as Quebec Law 25, to update Quebec’s privacy legislation to protect individuals’ personal information in the digital age. While privacy advocates have welcomed the law, organizations may need help to understand and comply with the new requirements and enforcement mechanisms.

In this article, I explore how Hitachi Solutions, a leader in designing and delivering Microsoft business transformation solutions, applies industry-specific expertise and Microsoft technology and tools to help organizations develop their strategies for addressing the challenges posed by Law 25 and complying with the new requirements.

Overview of Law 25

Law 25 is designed to modernize Quebec’s privacy laws. It outlines a host of changes to the existing framework that provide stronger data protection rights to individuals, along with stricter regulations for public and private organizations that handle personal information.

Historically, the framework of privacy law in Quebec has been comprised of an array of provincial and federal legislation. Law 25 acts as a blanket update, most notably in respect to the law governing access to documents held by public bodies (The Public Sector Act) and the law governing the protection of personal information in the private sector (The Private Sector Act). The changes are comprehensive and come with serious penalties for non-compliance.

The Implications

Increased accountability for businesses

Law 25 places greater accountability on organizations that collect, use, and disclose personal information. You must now obtain individuals’ explicit consent to collect and use their data and provide greater transparency around their data practices. Also, the law requires you to implement appropriate measures to protect personal information and notify individuals and regulatory authorities in case of a breach. You must also appoint a privacy officer responsible for ensuring compliance with the law.

New enforcement mechanisms

Law 25 introduces new enforcement mechanisms, including the ability for the Privacy Commissioner to issue fines of up to $25 million or 4% of global revenue for non-compliance. The law also allows individuals to sue organizations for damages for mishandling their personal information.

How to Prepare for Law 25

Whether you are a large or small organization, implementation of Law 25 could require considerable time and resources. To mitigate the potential negative consequences, it’s best to be prepared and have a plan. Hitachi Solutions has experience helping organizations develop comprehensive compliance strategies based on Microsoft native products and services:

• Education and awareness. The first step in any remediation strategy for Law 25 is to educate and raise awareness among employees and stakeholders about the new requirements and enforcement mechanisms. Hitachi Solutions offers options and tools to help you achieve this goal, including creating a customized training portal with compliance and privacy best practices training materials. Also, we recommend implementing a unified dashboard for managing compliance activities across the organization to assess compliance posture and generate reports that help demonstrate compliance with privacy regulations.

• Data classification and governance. One of the critical requirements of Law 25 is organizations must classify personal information and implement appropriate safeguards to protect it. Hitachi Solutions has the technical expertise and tools that can help you do this:
  • Microsoft Purview Compliance Manager provides built-in capabilities for classifying, labeling, and protecting sensitive information across the entire data estate. It also helps you identify critical privacy risks associated with personal data, such as over-exposure, data hoarding, or cross-border data transfer.
  • With Microsoft Purview and Microsoft Priva, Hitachi Solutions can automate privacy operations and reduce risks. The solution provides customizable and out-of-box policy templates for data overexposure, depreciation, and transfers. Once these policy templates are deployed, the solution can detect risks and automatically alert you about violations so you can take immediate action and minimize impact.

• Incident response and reporting. Law 25 requires organizations to report data breaches to the Privacy Commissioner and affected individuals. Hitachi Solutions delivers several options that can help you identify and respond to data breaches and other security incidents:
  • Microsoft Sentinel provides a cloud-native security information and event management solution enabling your organization to collect, analyze, and automate incident response to security events across the entire data and technology footprint.
  • Microsoft Priva provides insight into essential discoveries from data overexposure or transfer policies. Within the Privacy Risk Management solution in Priva, you can customize alerts about content that matches specific policy conditions.

• Proportional Enforcement: Law 25 states penalties be reasonable and proportionate to the violation’s severity. Microsoft has several tools that can help you demonstrate compliance with the law’s requirements and mitigate the risk of excessive penalties. This includes Microsoft Purview Compliance Manager, which provides a unified dashboard for managing compliance activities across various services, including compliance with Law 25. Compliance Manager also enables you to assess your compliance posture and generate reports.

Strategize with Hitachi Solutions

Law 25 is a significant step forward in protecting personal information and privacy in Quebec. However, it also presents challenges for organizations to obtain consent, comply with increased accountability requirements, and potentially hinder innovation.

Hitachi Solutions can help you overcome these challenges and comply with the law while protecting personal information. This includes partnering to develop a privacy compliance program, ensure transparency in data collection, implement appropriate security measures, and monitor and report breaches.

Businesses proactively managing Law 25 compliance by advancing their security can increase consumer trust and demonstrate their commitment to responsible and ethical data handling. Contact the data and analytics experts at Hitachi Solutions to act now and avoid potential regulatory fines or brand and reputation damage.