Quebec Case Studies
5 fictional but realistic scenarios illustrating typical situations for Quebec SMBs. Any resemblance to a real organization is coincidental.
Situation: "Mode BorΓ©ale," a Longueuil business with a Shopify online store, collects names, addresses, emails and purchase histories from 12,000 customers. Data hosted outside Quebec.
Problems identified: No clear privacy policy, marketing consent buried in terms of service, no PIA for the out-of-province hosting.
What they did:
- Designated the co-owner as Privacy Officer, published her contact info on the site
- Rewrote a simple privacy policy, added a separate marketing consent checkbox
- Carried out a PIA on the Shopify hosting and updated the supplier agreement
- Set up a retention schedule (purging accounts inactive for 3+ years)
Situation: A clinic holds health data (sensitive information requiring enhanced protection).
Incident: An unencrypted laptop containing patient files is stolen from a vehicle.
Compliant response:
- Incident logged in the register as soon as discovered
- Assessment: sensitive data + risk of fraud = confirmed risk of serious harm
- CAI notified within 72 hours, patients notified with vigilance advice
- Corrective measures: encryption of all laptops, no-local-storage policy
Situation: A nonprofit manages donor and beneficiary data with a small staff and a tight budget.
Challenge: "We can't afford a compliance department."
Proportionate solution:
- The executive director becomes Privacy Officer by default, supported by a skilled volunteer
- Use of free templates (CAI, sector associations) for policies and the register
- Prioritization: incident register, MFA on cloud accounts, privacy policy
Situation: A brokerage holds detailed financial information: income, debts, clients' identity documents.
Risks: Over-collection (asking for more than necessary), indefinite retention, sharing with partners without contractual safeguards.
Path to compliance:
- Minimization: only request the documents actually needed for each file
- PIA on CRM tools and lending partners
- Contracts updated with partners (Law 25 subcontracting clauses)
- Limited retention and secure destruction after the required legal period
Situation: A manufacturer holds HR data (payroll, disability medical records) and suffers a ransomware attack encrypting its servers.
Response:
- Immediate containment: isolate systems, activate the response plan
- Logged in the register, risk assessed (sensitive HR data exposed) β confirmed risk of serious harm
- CAI notified + affected employees, credit monitoring offered
- Restoration from offline backups untouched by the attack
- Post-mortem: MFA rolled out everywhere, network segmentation, anti-phishing training
Cross-cutting lessons
- Encryption and offline backups radically reduce the impact of incidents
- Data minimization limits exposure in the event of an incident
- Proportionality protects small organizations: doing the essentials is often enough
- Documenting your efforts demonstrates due diligence in an investigation