The most significant elements of the Law 25 amendments to Québec’s privacy regime take effect on September 22, 2023. While there are a number of new or enhanced requirements in the law that may seem overwhelming or too expensive to implement, it is not too late to take proportional, risk-based steps toward compliance. Organizations can mitigate customer, employee and regulatory risk by starting with a few simple steps, even where full compliance is not achievable by the date the law comes into effect.
What you need to know
While the work needed to comply with new Québec privacy requirements is significant for many organizations, some initial steps can help mitigate risk while organizing a broader compliance project. Organizations that fear they are behind as the deadline to comply approaches can start with these few basic actions:
- Adjust the cookies setting on the website
- Document what you already to do protect privacy
- Designate someone in charge of privacy
First steps towards Québec privacy compliance
As we have canvassed in previous articles, Québec’s Law 25 (formerly Bill 64), makes significant amendments to both the private sector and public sector privacy laws in that province. Many organizations—especially startups or foreign companies with some business in Québec—may be left with the impression that compliance with these requirements will be too expensive, resource-intensive, or time-consuming to achieve by the date they come into force. Rather than deferring all efforts to align with this new regime, committing a little effort to some simple first steps can help smooth the transition and mitigate risk.
- what types of personal information you collect, and how you use it
- the affiliates, service providers and other third parties you share personal information with
- whether personal information is sent across provincial or national borders
- how to contact you with questions, or complaints or to opt out of uses of personal information
- Ideally, the policy should also describe the internal tools your business uses to protect data, destroy it when no longer required and handle breaches or complaints, as well as any automated decisions made entirely by technology. But don’t delay posting a basic policy if this information isn’t ready.
2. Adjust cookies setting on the website
- If you aren’t using a cookies banner to get opt-in consent to profiling tools, ask your website developer how to implement one. Set a timeline to implement this step, even if it can’t be done by September 2023.
4. Document what you already do to protect privacy
- Even if you need time to develop a suite of internal policies on IT security, data destruction, privacy breach response or handling privacy complaints, you probably have employees who can address these issues on demand. Start by writing down who is responsible for these issues in your organization, and what they do to protect the data you handle or respond to requests.
- In time, you will want to formalize policies and review them regularly. But in the short term, less formal descriptions of your current practices may help identify gaps, apply for privacy or cybersecurity insurance, and respond to customer, employee or regulator requests for information on your privacy management program.
- In the same vein, make a list of the service providers and other third parties with whom you share personal information. Document whether there is a contract in place that requires them to protect this data, notify you of breaches and where they store the data. This is the foundation to build a practice of performing privacy impact assessments when you are onboarding new vendors, transferring data outside Québec, or changing your information systems.
5. Designate someone in charge of privacy
- Your organization may not have a full-time privacy officer. But one person should have internal responsibility for privacy compliance, even where multiple employees are involved in the steps described above.
- Write down who is responsible for privacy compliance. List their responsibilities and the other employees and advisors they rely on. Then make a plan to get that employee training or external support to help them serve that role effectively, within the context of your organization, industry and budget.
Next steps to advance your privacy program
While there are efficient, achievable first steps towards compliance with the new Québec privacy regime that can reduce pressure in the short term, there must be a longer-term plan to address the additional requirements. Get legal advice on the additional gaps in your privacy program and engage with other stakeholders, such as business and IT leads, your insurer or your board to make a plan to address them that considers your organization’s data uses, resources and risk profile.