Compliance with Bill 25

7 steps to a successful Bill 25 compliance program

1.  Appoint your privacy officer and his/her team

Identify the people in your company who will make up your information governance committee(s), and specify the role, tasks and responsibilities of each stakeholder.  Familiarize yourself with the obligations arising from Bill 25, identify the personal information processed by the organization, and map out your processing activities. Adopt the necessary resolutions.

2.  Implement your privacy incident management process 

Familiarize yourself with the concepts of privacy incident and risk of serious harm. Learn when and how to notify data subjects and supervisory authorities in the event of an incident. Set up a policy, recovery plan and incident log.

3.  Drafy the policies, guidelines, procedures and registers needed to establish an appropriate corporate culture and governance framework

A simple privacy policy published on your website is not enough to make you compliant with the obligations of Bill 25. In particular, you need one or more policies for protecting the personal information of customers and employees, and you need to manage the various consents required or their withdrawal, and communicate everything properly.

4.  Assess your relationship with subcontractors with whom you share personal information

Determine when and how to carry out a privacy impact assessment in the event of data transfer with a third party or outside Quebec. Validate the posture of your subcontractors with respect to Bill 25 obligations and agree to information security agreements, if required.

5.  Manage your data

Implement an integrated information management policy, a classification plan and a retention schedule for personal and confidential information held by the organization.

6.  Secure your data 

Implement an information security policy and manage access to personal and confidential information. Adopt the required policies for telecommuting, use of mobile devices, encryption solutions, anonymization or pseudonymization. Implement appropriate technological tools and an internal audit procedure.

7.  Train your staff (ongoing)

It's crucial to provide your employees and other staff with access to your systems with training on privacy risks, their responsibilities and the new technological tools deployed within your company. Your employees need to understand their role in your governance program. They need to understand the importance of protecting the personal information you handle in the course of your business.Don't forget to provide regular reminders of good practices and repeat key messages.

Implementing a governance program is a never-ending project. You'll need to continually review and update your policies, as well as ensuring that you remain compliant with changes in legislation and third-party contracts. 

To achieve this, make sure you build a flexible, future-proof program.

Our team can help you set up a comprehensive governance program within your company, and offer advice on assessing, monitoring and enforcing compliance. Finally, to make costs more affordable and benefit from the collegiality of exchanges between organizations working in the same field, find out more about our pooled offerings for groups and associations. 

Contact us today before your company suffers a privacy incident that could affect its reputation or even jeopardize its survival.