Preparing for the implementation of Law 25

Law 25 (Bill 64) or “An Act to modernize legislative provisions as regards the protection of personal information” will come into force gradually over the next three years. The first deadline to comply is September 22, 2022. It’s coming… Are you ready? Here is a summary of the requirements required by this law as of this year.


First bonds from September 2022

Quebec is one of the first provinces in Canada to undertake a reform of its laws on access and protection of personal information. Law 25, officially named An Act to modernize legislative provisions as regards the protection of personal information was adopted by the National Assembly of Quebec on September 22, 2021 (LQ 2021, c 25), in order to significantly modify the following laws:

  • Act respecting access to documents held by public bodies and the protection of personal information (1982);
  • Act respecting the protection of personal information in the private sector (1993).

Based on the European Data Protection Regulation (GDPR), Law 25 brings the most ambitious changes in North America in terms of data protection. This legislative transformation will affect all companies that interact with Quebec residents, even if their head office is outside Quebec.

Its main objectives are:

  • improve the protection of personal information and respect for privacy,
  • provide recourse in the event of non-compliance with regulations by organizations.

This law will create many obligations and will change the way we manage our applications. Its repercussions are significant and will require adaptations.


Get ready for your compliance

The provisions that come into force on September 22, 2022 are :

  • The appointment of a person in charge of the protection of personal information, called Data Protection Officer (DPO). By default, this function is carried out by the most senior manager. This role can be delegated to another internal person or to an external resource.
  • The contact details and name of the manager must be communicated to the Commission d’accès à l’information du Québec (CAIQ), and be published on the company’s website.
  • The creation and maintenance of a register of confidentiality incidents to be transmitted to the CAIQ in the event of an incident. All victims of an incident must also be notified.
  • The establishment of a management committee to ensure compliance with the Act is required for public bodies only.


Dialog Insight complies with the requirements of Law 25

At Dialog Insight, we have revised the functionalities of our platform, so that they meet the requirements of Law 25. For several years, we have been implementing advanced functionalities and protocols for data protection and continue to be at the forefront to better serve and protect our customers. Rest assured that your data is kept in Quebec and that, under no circumstances, we will share it with a third party without authorization.

To demonstrate this commitment, Dialog Insight holds ISO 27001 certification, an international standard for information security. This standard provides a framework for an information security management system (ISMS) that enables the maintenance of confidentiality, integrity and availability of information, as well as legal compliance.

We also perform SOC II Type 2 audits annually to validate our controls in place and their effectiveness.

For more details on the security measures we have in place, do not hesitate to consult our security page.


Dialog Insight helps you comply

Dialog Insight can help you comply with new regulations in time to avoid any possible sanctions related to the use of our platform.

For our users, we will support you in implementing the new measures gradually.

As a Dialog Insight customer, we will ask you to provide us with the name and contact details of your DPO shortly.

Other articles will be published regularly to help you take the necessary measures to comply with the regulations.

In the meantime, if you have any questions, please do not hesitate to contact us.


Law 25, what to remember:

The first requirements of Law 25 on data protection and privacy will come into force on September 22, 2022. The next deadlines are more complex. To support you, Dialog Insight will provide you with tools to help you better understand the changes your company will need to make in order to be compliant and avoid any sanctions. We will also publish a compliance guide under Law 25 which will include the requirements that will apply in September 2023 and 2024. Be on the lookout!

Don’t miss any news. Sign up now to receive our new articles by email by clicking here.

These articles do not represent legal advice. You should consult your legal advisors for an opinion regarding Law 25 or its implication.