Interactive · Free

Is your business ready for Quebec's Law 25?

Thirteen yes / no questions, two minutes, no email required. We'll score your readiness against the core obligations of Law 25 — and flag the gaps most likely to expose you to a complaint, an order, or a penalty. If you hold the personal information of anyone in Quebec, Law 25 likely applies to you, wherever you're based.

  1. 1 Have you designated a person responsible for the protection of personal information (a privacy officer), with their title and contact published?
  2. 2 Do you have a process to assess a confidentiality incident and notify the Commission d’accès à l’information (CAI) and affected individuals when there is a risk of serious injury?
  3. 3 Do you keep a register of confidentiality incidents, as Law 25 requires?
  4. 4 Do you have an up-to-date inventory of the personal information you hold — what it is, where it lives, and why you have it?
  5. 5 Do you obtain clear, free, and informed consent for collecting and using personal information, with a separate request for each distinct purpose?
  6. 6 Do you publish policies and practices governing personal information in clear, plain language on your website?
  7. 7 Do you carry out privacy impact assessments (an EFVP) for projects involving personal-information systems and before transferring data outside Quebec?
  8. 8 Can you handle access, correction, de-indexing, and data-portability requests within the legal timeframe?
  9. 9 Do you protect personal information with security measures appropriate to its sensitivity — access controls, encryption, and monitoring?
  10. 10 Do your contracts with service providers who handle personal information on your behalf include the required confidentiality and security commitments?
  11. 11 Before sending personal information outside Quebec, do you assess whether it will receive adequate protection?
  12. 12 Do you destroy or anonymize personal information once the purpose it was collected for has been achieved?
  13. 13 For any product or service that collects personal information, are the default settings the most privacy-protective option?

Need to close the gaps before they become a problem?

Book a no-obligation consultation and our Compliance & Risk Advisory team will help you meet your Law 25 obligations — and put the security controls behind them, with the evidence to prove it.

Talk to our team