Law 25 compliance checklist
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Quebec Law 25 Small Business RequirementsWhat Is Quebec Law 25
Want it handled? IT Cares — hands-on managed IT across Canada.
A Law 25 compliance checklist breaks Quebec's privacy obligations into concrete, verifiable steps: appoint a privacy officer, map your data, update consent and policies, prepare an incident-response process, and secure your systems. Because Law 25 is fully in force as of September 2024, every covered Quebec organization should be able to demonstrate it has worked through each item. The checklist below turns the law's broad requirements into a practical sequence you can implement and document.
Governance and accountability steps
The first block of any Law 25 checklist establishes who is responsible and how decisions are recorded. These foundational steps are what a regulator looks at first:
- Appoint a privacy officer and publish their title and contact information on your website.
- Document governance rules describing how personal information is handled, retained, and destroyed.
- Create a register of confidentiality incidents so every breach is logged, even minor ones.
- Establish a privacy impact assessment (PIA) process for new projects involving sensitive data or cross-border transfers.
Getting governance right early makes the rest of the program easier, because it gives you a clear owner and a paper trail. Without a named officer and documented rules, even good technical controls can fail an audit.
Data mapping and consent steps
You cannot protect data you have not identified, so the next checklist block focuses on knowing your data and getting consent right:
- Inventory personal information: list what you collect, where it is stored, who can access it, and how long you keep it.
- Define purposes: document why each category of data is collected and used.
- Update consent flows: ensure consent is clear, specific, and separate from other terms, with stricter handling for sensitive data.
- Apply privacy by default: set the most protective options as the default in any technology you offer to the public.
- Set retention schedules: destroy or anonymize personal data once its purpose is fulfilled.
This is often the most time-consuming part, but it underpins every other obligation. A clean data inventory makes consent, retention, and breach response far simpler to manage.
Transparency and individual rights steps
Law 25 gives individuals meaningful rights, and your checklist must include the mechanisms to honour them:
- Publish a clear privacy policy in plain language describing your practices.
- Enable access and correction requests with a defined process and response timeline.
- Support data portability by being able to export an individual's computerized data in a structured format.
- Handle de-indexing and deletion requests where the law requires.
- Disclose automated decision-making when decisions are based solely on automated processing.
Documenting how you respond to each type of request protects you if an individual complains to the CAI. A simple intake form and a tracked workflow are usually enough to show you take these rights seriously.
Security and incident-response steps
The final checklist block is technical and is where many organizations have the largest gaps. Reasonable security measures under Law 25 typically include:
- Access controls limiting personal data to staff who need it, ideally with multi-factor authentication.
- Encryption for sensitive data at rest and in transit.
- Monitored, tested backups to recover from ransomware or accidental loss.
- Breach detection and logging so incidents are spotted and scoped quickly.
- A written incident-response plan that defines who decides whether to notify the CAI and individuals.
These controls are also what make breach reporting feasible, since you cannot report what you cannot detect. For organizations without in-house IT security, a managed provider can implement and maintain this layer and keep the evidence that controls are working.
FAQ
Is there an official Law 25 compliance checklist?
The Commission d'accès à l'information (CAI) publishes guidance rather than a single fill-in checklist. Practical checklists, like the one above, translate the law's obligations into actionable steps covering governance, data mapping, consent, individual rights, and security so businesses can track their progress.
How long does it take to become Law 25 compliant?
For a small business with simple systems, a focused effort can take a few weeks; for organizations with complex data flows or multiple systems, it may take several months. The data inventory and security controls usually take the longest. Starting with governance and a data map keeps the project manageable.
What is the most commonly missed checklist item?
A complete data inventory and tested backups are the items most often missing. Many businesses have policies but cannot say exactly where personal data lives or prove they could recover it after a breach. Both gaps undermine the rest of the compliance program.