Bill 25 — Quebec's Act to Modernize Legislative Provisions on the Protection of Personal Information — has been fully in force since September 2023. Yet in our compliance engagements with Quebec SMBs in 2024 and 2025, we consistently find that the vast majority have significant gaps, often without knowing it.

What Bill 25 Concretely Requires of Your Organization

The law applies to any organization that collects, uses, or discloses personal information about Quebec residents — which includes virtually all SMBs. Here are the main obligations:

  • Designate a Privacy Officer (PO) and publish their contact information on your website.
  • Maintain a confidentiality incident register — every incident must be logged, even if not deemed "serious."
  • Notify the Commission d'accès à l'information (CAI) within 72 hours following an incident involving a serious risk of harm.
  • Publish a privacy policy that clearly explains how you collect, use, and retain data.
  • Obtain valid, granular consent before collecting personal information for secondary purposes.
  • Conduct a Privacy Impact Assessment (PIA) before any project involving sensitive personal information.
  • Manage access and rectification rights — you must be able to respond to an access request within 30 days.

The Gaps We Find Most Often

Without ranking, here are the issues we identify in nearly every Bill 25 compliance engagement:

  • No formally designated Privacy Officer — the executive "assumes" the role without training or documented procedures.
  • The privacy policy is a generic copy-paste that does not reflect the actual data processed by the company.
  • Former employees still have system access — both a Bill 25 compliance risk and a critical security risk.
  • No register of vendors with access to personal data — your cloud accountant, your CRM, your email platform: all must be documented and governed by a data processing agreement.
  • No procedure for responding to access requests — if a client asks "what data do you have on me?", do you know how to respond within 30 days?

The 7-Point Checklist

  • An identified and trained Privacy Officer with their name and contact published.
  • An up-to-date personal information processing register.
  • A company-specific privacy policy, published and dated.
  • A 72-hour incident notification process with a ready-to-submit CAI form.
  • Data Processing Agreements (DPAs) signed with all vendors processing personal data.
  • A documented access rights management process with response deadlines.
  • A PIA conducted for every new project involving sensitive data.

Where to Start If You Are Behind

Our Bill 25 compliance program prioritizes high-penalty-risk items first (PO designation, incident register, CAI notification) — those that protect your organization if an incident occurs during the compliance process. More structural elements are then deployed over 60 to 90 days depending on your environment's complexity.