Law 25 SMB checklist: the priority actions
Practical Law 25 checklist for Quebec SMBs: personal information inventory, incidents, consent, vendors, and governance.
Problem
Your SMB must comply with Law 25, but no one knows what to do first.
Expected outcome
A 30-day compliance plan organized by operational priority.
What is Law 25 for an SMB?
Law 25 is Quebec legislation aimed at modernizing the protection of personal information.
- It imposes new responsibilities on businesses.
- It requires appointing a privacy officer.
- It regulates the collection and destruction of information.
The risks of non-compliance
Ignoring Law 25 exposes your SMB to severe penalties and a loss of trust.
- Fines up to $25 million or 4% of global turnover.
- Civil lawsuits from customers or employees.
- Reputational damage in case of an unreported data leak.
Map personal information
Compliance starts with a clear inventory of data collected, stored, shared, and deleted.
- List systems holding customer and employee data.
- Identify sensitive data and storage locations.
- Document retention periods and owners.
Create an incident register
Law 25 requires the ability to detect, assess, and notify confidentiality incidents.
- Define what counts as a confidentiality incident.
- Create a register available to internal owners.
- Prepare notification templates for the CAI and affected individuals.
Control vendors and AI tools
SaaS providers and AI tools can expose data if contracts and usage are not governed.
- Add data protection clauses to vendor contracts.
- Ban prompts containing personal information.
- Validate hosting locations and critical subprocessors.
Frequently asked questions
Does Law 25 apply to small businesses?
Yes. Any organization handling personal information in Quebec must apply governance controls proportionate to its risks.
What should be produced first?
The personal information and system inventory is the most useful starting point to prioritize risk. A data inventory is essential for Law 25 compliance.
Do we need a privacy officer?
Yes. The role must be clearly assigned and visible in your governance. By default, it is the highest authority in the company.
Do I need to report all confidentiality incidents?
No. Only incidents presenting a risk of serious injury must be reported to the Commission d'accès à l'information (CAI).
Can I use ChatGPT with customer data?
No. Using unsecured public AI tools with personal information is prohibited and violates Law 25.
What is personal information under Law 25?
Personal information is any information that allows a natural person to be identified directly or indirectly.
Need a fast Law 25 plan?
Cybernow can turn this checklist into an action plan, policies, and usable registers.
Book an assessment