Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Québec Law 25 and Third-Party Risk Management

Apply TPRM best practices to meet third-party data protection requirements in this Canadian law.
Scott Lang
VP, Product Marketing
November 30, 2023
Blog Post Quebec Law 25 11 23

Québec Bill 64 is a law passed in 2021 to modernize the Canadian province's Private Sector Act and improve personal data protection standards. Bill 64 is similar in scope to the European Union’s General Data Protection Regulation (GDPR). One key provision of the bill is Law 25, which empowers Québec's data protection authority – the Commission d'accès à l'information du Québec – to enforce requirements such as conducting privacy impact assessments before transferring personal data outside the province. Canadian authorities implemented the data protection requirements of Law 25 in stages in September of 2022 and 2023, with additional enforcement set to begin in September 2024.

This post examines the key requirements in Law 25 that are related to third-party data protection and recommends best practices to address these requirements.

Québec Law 25 Summary

Originally passed in 2021, Québec Law 25 includes requirements that govern the collection, use, and communication of personal information. The law:

  • Applies to any entity established in Québec and/or doing business in Québec that is collecting, using, or disclosing personal information of individuals located in the province
  • Requires conducting mandatory privacy impact assessments (PIAs) for the transfer of personal information outside of Québec
  • Includes mandatory provisions within all outsourcing contracts (e.g., third parties)
  • Enforces penalties ranging from CAD10 million or 2% of global turnover up to CAD25 million or 4% of global turnover for violations

Organizations doing business in Québec should evaluate their third-party data protection practices, much in the same way as is required of companies operating in Singapore or the European Union.

Align Your TPRM Program with CCPA, GDPR, HIPAA and More

Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook privacy

Québec Law 25 Third-Party Risk Management Requirements

The table below summarizes select provisions in Law 25 that pertain to third-party data protection.

Note: The information presented in this table is a summary of Law 25 requirements and therefore comprehensive legal guidance must not be considered. Please consult the full text of the law and your organization’s legal counsel to determine the best course of action for your company.

Select QuébecLaw 25 Requirements Third-Party Risk Management Best Practice
Effective September 22, 2022

In the event of a confidentiality incident involving personal information:

a. Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from occurring again.

b. Notify the Commission and the affected individual if the incident poses a risk of serious harm.

c. Maintain a record of incidents, a copy of which must be provided to the Commission upon request.

Respond to, report on, and mitigate the impact of third-party vendor data protection incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities in your third-party incident response program should include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates for internal and external stakeholders

Establish practices that will allow you to react appropriately and quickly in the event of a confidentiality incident involving personal information (e.g., incident response plan and staff directive).

Consider structuring incident response practices around a common industry best practice framework for incident management such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61.

Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity.

Start by building a map to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data.

Effective September 22, 2023

Conduct a Privacy Impact Assessment (PIA) when required by the law, for example, before disclosing personal information outside of Québec.

Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. Leverage the PIA to evaluate the origin, nature and severity of the potential risk and provide recommendations for mitigating identified risks and ensuring compliance with privacy regulations.

Then, assess vendor data privacy controls using a dedicated Law 25 survey. The survey should be designed to identify risks and map them to controls for a clear view of potential hot spots.

Destroy personal information when the purpose of its collection is achieved or anonymize it for use in serious and legitimate purposes, subject to conditions and a retention period specified by law.

Automate offboarding procedures to reduce your organization’s risk of post-contract exposure. Seek solutions that enable you to:

  • Schedule tasks to review contracts to ensure all obligations have been met
    Issue customizable contract assessments to evaluate status
  • Customize surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments and more
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
    Leverage built-in automated document analysis.
  • Take actionable steps to reduce vendor risk with remediation recommendations and guidance
  • Visualize and address compliance requirements by mapping assessment results to other regulations and frameworks

Since the inventory of personal information is evolving, it is important to keep it up to date to account for changes that may have occurred within your company (e.g., new collection of personal information for a project) and to ensure that you plan your actions adequately and comply with all your obligations.

Continuously monitor for third-party data breaches. Identify types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Assess the project's compliance with privacy laws.

Address privacy regulations by mapping risks and responses to controls, gaining percent-compliance ratings, and generating stakeholder-specific reports.

Implement strategies and measures to avoid these risks or reduce them effectively.

Automate risk identification based on established thresholds and augment practices with workflows that escalate identified risks to the proper stakeholder for immediate review and disposition.

Recommend specific remediations or be willing to accept compensating controls where there are control deficiencies identified in data privacy practices.

How Prevalent Helps Address Québec Law 25 TPRM Requirements

Organizations that must comply with Law 25 should ensure that third parties handling personal information of Québec citizens have controls in place to protect that data. Prevalent provides a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:

  • Sets a strong foundation for third-party data protection within a comprehensive TPRM program
  • Enables teams to build and enforce data protection provisions in contracts, and continually measures adherence to those provisions throughout the vendor lifecycle
  • Delivers visibility into where data is, how it flows, and who has access to it
  • Assesses and continuously monitors third-party data privacy risks in line with common industry standards
  • Speeds risk identification and remediation, mitigating breach costs and reputational damage
  • Generates targeted reports for regulators, vendors and internal stakeholders
  • Continuously monitors for breaches and accelerates incident response to mitigate the risk of a damaging and expensive data security incident

With Prevalent, your security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal data privacy risks.

Download the Third-Party Data Privacy Compliance Handbook to learn more about how Prevalent can help address your data privacy compliance challenges. Or schedule a demo to discuss how we can address your specific needs.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo