Québec Bill 64 is a law passed in 2021 to modernize the Canadian province's Private Sector Act and improve personal data protection standards. Bill 64 is similar in scope to the European Union’s General Data Protection Regulation (GDPR). One key provision of the bill is Law 25, which empowers Québec's data protection authority – the Commission d'accès à l'information du Québec – to enforce requirements such as conducting privacy impact assessments before transferring personal data outside the province. Canadian authorities implemented the data protection requirements of Law 25 in stages in September of 2022 and 2023, with additional enforcement set to begin in September 2024.
This post examines the key requirements in Law 25 that are related to third-party data protection and recommends best practices to address these requirements.
Originally passed in 2021, Québec Law 25 includes requirements that govern the collection, use, and communication of personal information. The law:
Align Your TPRM Program with CCPA, GDPR, HIPAA and More
Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
The table below summarizes select provisions in Law 25 that pertain to third-party data protection.
Note: The information presented in this table is a summary of Law 25 requirements and therefore comprehensive legal guidance must not be considered. Please consult the full text of the law and your organization’s legal counsel to determine the best course of action for your company.
|Select QuébecLaw 25 Requirements
|Third-Party Risk Management Best Practice
|Effective September 22, 2022
In the event of a confidentiality incident involving personal information:
a. Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from occurring again.
b. Notify the Commission and the affected individual if the incident poses a risk of serious harm.
c. Maintain a record of incidents, a copy of which must be provided to the Commission upon request.
Respond to, report on, and mitigate the impact of third-party vendor data protection incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities in your third-party incident response program should include:
Establish practices that will allow you to react appropriately and quickly in the event of a confidentiality incident involving personal information (e.g., incident response plan and staff directive).
Consider structuring incident response practices around a common industry best practice framework for incident management such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61.
Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity.
Start by building a map to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data.
|Effective September 22, 2023
Conduct a Privacy Impact Assessment (PIA) when required by the law, for example, before disclosing personal information outside of Québec.
Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. Leverage the PIA to evaluate the origin, nature and severity of the potential risk and provide recommendations for mitigating identified risks and ensuring compliance with privacy regulations.
Then, assess vendor data privacy controls using a dedicated Law 25 survey. The survey should be designed to identify risks and map them to controls for a clear view of potential hot spots.
Destroy personal information when the purpose of its collection is achieved or anonymize it for use in serious and legitimate purposes, subject to conditions and a retention period specified by law.
Automate offboarding procedures to reduce your organization’s risk of post-contract exposure. Seek solutions that enable you to:
Since the inventory of personal information is evolving, it is important to keep it up to date to account for changes that may have occurred within your company (e.g., new collection of personal information for a project) and to ensure that you plan your actions adequately and comply with all your obligations.
Continuously monitor for third-party data breaches. Identify types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.
Assess the project's compliance with privacy laws.
Address privacy regulations by mapping risks and responses to controls, gaining percent-compliance ratings, and generating stakeholder-specific reports.
Implement strategies and measures to avoid these risks or reduce them effectively.
Automate risk identification based on established thresholds and augment practices with workflows that escalate identified risks to the proper stakeholder for immediate review and disposition.
Recommend specific remediations or be willing to accept compensating controls where there are control deficiencies identified in data privacy practices.
Organizations that must comply with Law 25 should ensure that third parties handling personal information of Québec citizens have controls in place to protect that data. Prevalent provides a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:
With Prevalent, your security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal data privacy risks.
Download the Third-Party Data Privacy Compliance Handbook to learn more about how Prevalent can help address your data privacy compliance challenges. Or schedule a demo to discuss how we can address your specific needs.