More than ever, the protection of personal information is at the forefront of government concerns. In response to these challenges, the National Assembly of Quebec passed law 25 in September 2021, and the new provisions came into effect in September 2022, aiming to modernize the protection of personal data. This law impacts not only businesses but also professionals, including notaries, accountants, lawyers, and all private financial services companies.
Deadline for implementation of law 25
The amendments brought by law 25 have been gradually coming into effect since September 2022 and will be phased in over a three-year period, until 2024. The Access to Information Commission of Quebec reminds the public, businesses, and public organizations that this significant reform modernizes the rules protecting citizens’ personal information.
Discover the objectives of law 25
Primarily, law 25 was designed to promote a culture of personal information protection. It seeks to raise awareness among private businesses and professionals about the importance of safeguarding personal data. It aims to establish a strong culture of privacy and respect within organizations.
Furthermore, law 25 grants new powers to the Access to Information Commission to oversee and enforce obligations related to data protection.
How to meet the requirements of law 25 ?
Law 25 has significant implications for professionals in the legal, accounting, financial, and other service sectors. Professionals must take specific actions to comply with this new regulation, including :
- Avoiding reliance on emails: Given that emails are not always the most secure means of communication, their use for sensitive data exchanges should be reduced.
- Implementing intuitive tools: Professionals should introduce simple tools to ensure effective adoption of new data protection practices.
- Developing internal processes: Clear internal processes to regulate access to personal information are essential. Transparency and traceability are key elements.
- Cultivating a data protection culture: Professionals should promote an internal culture that values daily data protection and compliance with law 25.
- Transparent and explicit consent: The law requires transparent and explicit consent when collecting personal data. Professionals must clearly explain how this data will be used.
- Mandatory removal of unnecessary data: law 25 requires the mandatory deletion of personal information when it is no longer needed. Therefore, policies for automatic deletion need to be established.
- Strict privacy settings by default: The law stipulates that privacy settings should be configured with strict defaults to ensure data security.
- Integrating privacy from the outset: A proactive privacy-oriented design must be followed from the beginning of any technological project.
- Appointing a Personal Information Protection Officer: This person will be responsible for ensuring data protection within your company.
- Maintaining a detailed incident log: This log must be very detailed, containing all incidents that have occurred, and it should be regularly updated. Of course, you must inform the Commission and the affected individuals if the violation could cause serious harm.
Dimpo complies with law 25
Dimpo places great importance on compliance with law 25 and is fully committed to helping professionals adhere to this new legislation. Here’s how we contribute to this effort :
- Secure client messaging : We offer highly secure client messaging that ensures data protection from collection. We guarantee automatic data deletion and permanent file deletion. Additionally, we ensure precise access traceability and automated consent management.
- Comprehensive security : In addition to standard security solutions like antivirus software, it is essential to secure interactions with your clients to preserve data confidentiality. Dimpo promotes a comprehensive view of data security through cutting-edge technologies.
- Assistance for data governance : Dimpo assists accounting offices and financial services professionals in establishing robust data governance. We provide tailored assistance, including our privacy-oriented design principles.
- Centralized data in a secure cloud space to prevent information from being scattered.
Conclusion
Law 25 represents a significant milestone in personal information protection in Quebec. Professionals must not only comply with it but can also rely on innovative solutions like Dimpo to ensure the security and compliance of their data. Personal information protection has become a top priority, and law 25 is a catalyst for change for professionals and their clients.
