Québec Bill 64 is a law passed in 2021 to modernize the Canadian province's Private Sector Act and improve personal data protection standards. One key provision of the bill is Law 25, which includes requirements that govern the collection, use, and communication of personal information and empowers Québec's data protection authority – the Commission d'accès à l'information du Québec – to enforce requirements such as conducting privacy impact assessments before transferring personal data outside the province.
Canadian authorities implemented the data protection requirements of Law 25 in stages in September of 2022 and 2023, with additional enforcement set to begin in September 2024.
Applicable to any entity established in Québec and/or doing business in Québec that is collecting, using, or disclosing personal information of individuals located in the province, the law enforces penalties ranging from CAD10 million or 2% of global turnover up to CAD25 million or 4% of global turnover for violations.
Organizations doing business in Québec should evaluate their existing third-party data protection practices to determine whether current processes are compliant with the law.
Govern the collection, use, and disclosure of personal information of individuals located in Quebec
Conduct mandatory privacy impact assessments (PIAs) for the transfer of personal information outside of Quebec
Include mandatory provisions within all outsourcing contracts (e.g., third parties)
Align Your TPRM Program with CCPA, GDPR, HIPAA and More
Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Québec Law 25 TPRM Requirements
The table below summarizes select provisions in Law 25 that pertain to third-party data protection, and how the Prevalent Third-Party Risk Management (TPRM) Platform can help address the requirements.
Note: The information presented in this table is a summary of Law 25 requirements and therefore must not be considered comprehensive legal guidance. Please consult the full text of the law and your organization’s legal counsel to determine the best course of action for your company.
|Select Québec Law 25 Requirements
|Third-Party Risk Management Best Practice
Effective September 22, 2022
In the event of a confidentiality incident involving personal information:
a. Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from occurring again.
b. Notify the Commission and the affected individual if the incident poses a risk of serious harm.
c. Maintain a record of incidents, a copy of which must be provided to the Commission upon request.
Respond to, report on, and mitigate the impact of third-party vendor data protection incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities in your third-party incident response program should include:
Establish practices that will allow you to react appropriately and quickly in the event of a confidentiality incident involving personal information (e.g., incident response plan and staff directive).
Consider structuring incident response practices around a common industry best practice framework for incident management such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61.
Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity.
Start by building a map to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data.
Effective September 22, 2023
Conduct a Privacy Impact Assessment (PIA) when required by the law, for example, before disclosing personal information outside of Québec.
Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. Leverage the PIA to evaluate the origin, nature and severity of the potential risk and provide recommendations for mitigating identified risks and ensuring compliance with privacy regulations.
Then, assess vendor data privacy controls using a dedicated Law 25 survey. The survey should be designed to identify risks and map them to controls for a clear view of potential hot spots.
Destroy personal information when the purpose of its collection is achieved or anonymize it for use in serious and legitimate purposes, subject to conditions and a retention period specified by law.
Automate offboarding procedures to reduce your organization’s risk of post-contract exposure. Seek solutions that enable you to:
Since the inventory of personal information is evolving, it is important to keep it up to date to account for changes that may have occurred within your company (e.g., new collection of personal information for a project) and to ensure that you plan your actions adequately and comply with all your obligations.
Continuously monitor for third-party data breaches. Identify types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.
Assess the project's compliance with privacy laws.
Address privacy regulations by mapping risks and responses to controls, gaining percent-compliance ratings, and generating stakeholder-specific reports.
Implement strategies and measures to avoid these risks or reduce them effectively.
Automate risk identification based on established thresholds and augment practices with workflows that escalate identified risks to the proper stakeholder for immediate review and disposition.
Recommend specific remediations or be willing to accept compensating controls where there are control deficiencies identified in data privacy practices.
Get a Handle on Third-Party Data Privacy Risks
The Data Privacy and Third-Party Risk Management Best Practices Guide shares a prescriptive approach to evaluating data privacy controls and risks at every stage of the vendor lifecycle.