Law 25 SMB checklist: the priority actions
Practical Law 25 checklist for Quebec SMBs: personal information inventory, incidents, consent, vendors, and governance.
Problem
Your SMB must comply with Law 25, but no one knows what to do first.
Expected outcome
A 30-day compliance plan organized by operational priority.
Map personal information
Compliance starts with a clear inventory of data collected, stored, shared, and deleted.
- List systems holding customer and employee data.
- Identify sensitive data and storage locations.
- Document retention periods and owners.
Create an incident register
Law 25 requires the ability to detect, assess, and notify confidentiality incidents.
- Define what counts as a confidentiality incident.
- Create a register available to internal owners.
- Prepare notification templates for the CAI and affected individuals.
Control vendors and AI tools
SaaS providers and AI tools can expose data if contracts and usage are not governed.
- Add data protection clauses to vendor contracts.
- Ban prompts containing personal information.
- Validate hosting locations and critical subprocessors.
Frequently asked questions
Does Law 25 apply to small businesses?
Yes. Any organization handling personal information in Quebec must apply governance controls proportionate to its risks.
What should be produced first?
The personal information and system inventory is the most useful starting point to prioritize risk.
Do we need a privacy officer?
Yes. The role must be clearly assigned and visible in your governance.
Need a fast Law 25 plan?
Cybernow can turn this checklist into an action plan, policies, and usable registers.
Book an assessment