This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

⚖️
Legal information — not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
FULL GUIDE · 15 CHAPTERS

Law 25 — A Practical Compliance Guide for SMBs

Law 25 (the Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25) has been in force since 2022–2024. This guide covers every obligation — Privacy Officer, incidents, PIAs, individual rights, sanctions — with practical tools built for Quebec and Canadian SMBs.

Compliance Plan → Incident Management

⚠️ Are you already non-compliant?

  • No Privacy Officer designated — the CEO is one by default, often without knowing it
  • No incident register — mandatory since Sept. 2022, even for minor incidents
  • No privacy policy, or one nobody can understand — must be published in plain language
  • Out-of-province suppliers with no PIA or compliant contract — Microsoft 365, AWS, Google = outside Quebec

The guide's 15 chapters

🏢
Chapter 1
Who Is Covered?
Context, the law's objectives, no size threshold, sectors covered, the "we're too small" myth.
📅
Chapter 2
Timeline 2022–2024
3 phases of coming into force. Everything has applied since Sept. 2024.
🧠
Chapter 3
Key Concepts
Personal info, sensitive info, valid consent (5 criteria), automated decisions, anonymization vs. de-identification.
📜
Chapter 4
Business Obligations
Governance, privacy policy, transparency at collection, minimization, retention, security.
👤
Chapter 5
The Privacy Officer
Mandatory designation, written delegation, responsibilities, in-house vs. external, mandatory publication.
🔍
Chapter 6
Privacy Impact Assessments
When, how, 7 steps, a risk-assessment grid.
🚨
Chapter 7 · Priority
Incident Management
Mandatory register, 72-hour CAI notification, serious harm, a 6-step process.
⚖️
Chapter 8
Individual Rights
6 rights: access, rectification, portability, de-indexing, consent withdrawal, automated decisions.
🌐
Chapter 9
Suppliers & Out-of-Province
Cloud computing, PIA before disclosure outside Quebec, outsourcing, mandatory contract clause.
🔧
Chapter 10
Technical Guide — IT & CISO
Data mapping, MFA, encryption, 3-2-1 backups, SaaS security, incident response plan.
📋
Chapter 11
Compliance Plan
A 90-day / 6-month / 12-month roadmap with owners and priorities.
📚
Chapter 12
Quebec Case Studies
5 realistic fictional cases: Shopify boutique, clinic, nonprofit, brokerage, manufacturer ransomware.
🛠️
Chapter 13
Ready-to-Use Templates
Privacy policy, incident register, supplier clause, rights request form, incident notice.
💰
Chapters 14–15
Myths & Sanctions
8 myths debunked, AMPs up to $10M, penal sanctions that can target executives personally.
Chapter 15
FAQ · Glossary · Resources
10 frequent questions, 14 defined terms, official resources (CAI, Légis Québec).
⚠️ Legal disclaimer. This guide is a plain-language educational tool. It does not constitute legal advice. For high-risk decisions, consult a legal advisor and the Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca.