Quebec has recently adopted its most restrictive data privacy law to date, modernizing the whole data privacy landscape in the province. Every business processing personal information must comply to the newly enacted legislation, starting September 2022.
As this legislation imposes major changes for businesses, there is a gradual implementation of the different provisions of Quebec’s Bill 64 that have to be fully implemented by September 2024. Therefore, there is more than one effective date to keep in mind. This article briefly reviews the breakdown of the gradual implementation. This article also provides a timeline that serves as a helpful guide on how to prepare for the major changes.
The information presented below has been verified by Assurance IT’s in-house Lawyer and Data Privacy Expert. If you want to skip over the hours of research necessary to understand the upcoming changes, consider joining our training program.
One of the significant changes Quebec businesses will need to plan this year is the appointment of a Data Protection Officer (DPO). It will be important to choose this person carefully given that they will be in charge of overlooking the entire implementation of the new law by ensuring compliance.
It will be mandatory to announce the designated DPO to the general public by publishing their professional contact information on the company’s website.
In the event that no one is officially chosen by September, the role will automatically be assigned, by default, to the person with the highest authority within the company. This is usually the CEO or President.
The CEO or President will however be authorized to delegate the role to someone internally or outsource the position to a third-party.
Contrary to what you may think, the IT manager would not be best suited for the role because of the risk of conflict of interest, which we discuss in-depth in our training.
Another important provision coming into effect this year is implementing a process for confidentiality incidents.
Organizations will need to internally document every cyber incident, including data leaks, loss of personal information or any unauthorized access. An incident report should be done regardless of the severity of the incident. When the incident presents a risk of serious harm, incident reporting will be mandatory by law.
The biggest takeaway from this new legislation is that organizations will now be more accountable and therefore, be required to demonstrate full transparency and openness regarding their data processing activities. More specifically, they will need to disclose how they protect personal information and how it will be used.
Every enterprise will be forced to review their organizational and structural measures. To start, they will need to establish and entirely update their governance policies and practices in accordance with the new requirements. These policies should be viewed as guidelines in the business for every measure thereafter. They should also be published on the website to inform customers of how the business operates.
It will be compulsory to:
1) Include a framework for use, retention and destruction of personal information
2) Define staff roles and responsibilities throughout personal information lifecycle
3) Put in place a complaint process.
With Bill 64, legislators stress the importance of this requirement by putting an emphasis on obtaining the proper consent from your clients. Each time personal information is collected, it will be essential to obtain consent for each specific purpose.
If the consent is given under unclear terms or used for other than intended, the consent will be deemed inadequate in the eyes of the law and the processing of that data will be considered unlawful. As a result, companies need to review their current consent form in their policy.
In addition to giving citizens more power around their personal data being collected, substantial modifications were made to the pre-existing rights to strengthen the control people have over their personal information. Considering that, every organization will need to be prepared to respond to any demands related to those rights.
The changes in the law introduce fundamental rights, like:
Organizations will have no choice but to become familiar with PIAs since they will become common practice. Essentially, they are risk management procedures that assess privacy-related factors of a project or system. Bill 64 provides four (4) distinct scenarios when it will be compulsory to conduct a PIA. Our training goes into a lot more detail about every provision listed in this article.
The assessment itself will be proportional to the sensitivity of the personal information involved. Companies will have to:
1) Be aware of the personal information they are dealing with
2) Have a categorization process
3) Establish how thorough the PIAs needs to be
Companies might be exploiting automated processes or tracking some personal data. If this is the case, the systems need to be reviewed to respect the new restrictions.
Whenever your company transfers personal information, a new set of rules will apply to the flow of that data. Clear contractual agreements will need to be put in place. The biggest part of this provision is that your company will remain liable for the use of the personal information that is transferred to third-parties.
Privacy by design means that privacy is embedded into every process. It will be required to integrate, by default, privacy settings to the highest degree. Privacy will also need to be considered from the very beginning of all your projects that involve personal data. It gives the users a guarantee that their personal information is automatically protected.
It will be crucial for companies to have specific mechanisms allowing them to know what kind of data they are protecting, but also for how long they need to retain that data. When the initial purpose of collection will be achieved, the data must be destroyed. In some very specific circumstances, the data can be kept if and only if it is anonymized first.
Last but not least, for next year, new severe penalties will be enforced by the supervisory authority of Bill 64, the Commission d’accès à l’information (CAI), which has now been given authority to enforce the new law.
These penalties could reach staggering amounts never before seen in the field of privacy in Quebec. From a business perspective, these sanctions could prove to be a huge incentive to comply with the law. For example, the penalties could go up to 25 million Canadian dollars.
Of all the requirements that businesses will need to implement, this one will most probably be one of the most challenging because it’s difficult to implement.
This right will allow Quebec citizens to request a copy of the personal records that they provided to the company. The records must be provided in a structured, commonly used format.
In other words, companies will have to give individuals a computerized copy of their personal information. As a result, companies will need to adopt new processes permitting the fulfillment of those demands.
Assurance IT understands that this is overwhelming to figure out. There’s no doubt that Bill 64 will be a challenge for every Quebec business.
With hours of research ahead of you, there is an easier way to know where to start. Assurance IT offers a complete 8-hour training that prepares you for Quebec’s new data privacy landscape.
Register for Assurance IT's training on Quebec's Bill 64 here. Let us know if you have any questions by emailing firstname.lastname@example.org.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.