Bill 25 – Are you in good standing?

September 26, 2023

That’s it! The second deadline of September 22, 2023 has passed! But are you in order? How do you go about it? What are the implications for businesses if you’re not? And above all, how do you get there? So many questions! Follow us as we try to shed some light on the new measures and what they mean for you and your business.

Part 1: Understanding Bill 25 and its implications for your business

1. Introduction to Bill 25

Background and context

Law 25 was passed with the aim of strengthening the protection of personal data and making companies more accountable for the management of this data. It is part of a legislative evolution that has emerged with similar regulations internationally, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States.

Objectives of Bill 25

The law has three main objectives:

Personal data protection: Ensuring that individuals’ data is handled securely and confidentially.
Corporate responsibility: obliging companies to implement adequate safety measures.
Strengthening individuals’ rights: Giving people more control over their personal data.

2. Company obligations

Data Protection Officer

Every company must appoint a data protection officer. This position is crucial as it oversees all activities related to personal data management. The person in charge must have in-depth knowledge of data protection laws and be able to advise the company on best practices in this area.

Register of confidentiality incidents

It is imperative for companies to keep a register of confidentiality incidents. This register must include details of the nature of the incident, the steps taken to remedy it, and the people informed. In the event of a major incident, the relevant authorities must be informed as soon as possible. Download our register here

Penalties and fines

Non-compliance with Bill 25 can result in severe penalties, including fines of up to several million dollars. It is therefore in every company’s interest to understand and comply with this legislation.

3. Benefits of an information governance program

Clarifying responsibilities

A well-structured information governance program helps to clarify roles and responsibilities within the company. It also facilitates internal communication, which is essential for efficient data management.

Better data protection

Such a program also enables data encryption and security methods to be put in place, reducing the risk of confidentiality incidents.

Efficient incident response

Having an incident response plan in place and testing it regularly can make all the difference in the event of a data breach. This enables a rapid and effective response, minimizing damage.

4. Steps to create an effective program

Data inventory

The first step in creating an effective program is to carry out a complete inventory of the data held by the company. This includes not only customer data, but also employee and partner data.

Policies and practices

Once the inventory has been taken, the next step is to draw up privacy and security policies. These policies must be updated regularly to reflect changes in legislation or in the company’s environment.

Employee training and awareness

Last but not least, it’s crucial to train employees and raise their awareness of the importance of data protection. This can be done through workshops, online training or simulations.

Part 2: Impacts on your website and action to be taken

Introduction

You’ve heard about Bill 25 and are determined to comply. The first step? Your website.

Why websites are affected

Websites often collect personal data, whether through forms, cookies or traffic analyses. This data is regulated by various laws, including Act 25. It is therefore imperative for website owners to understand their legal responsibilities. The risks of security breaches are real and can lead to incidents such as :

Data leakage: Inadequately secured databases can be compromised, exposing user information.
Non-consensual tracking: The use of cookies without explicit consent may result in legal sanctions.

Data collection on non-transactional sites

Even if your website isn’t transactional, it’s highly likely that you’ll be collecting personal data. Tools such as Google Analytics, Tag Manager, ReCaptcha, Google Maps, PayPal and many others, as well as social networking and video integration, often involve data collection. At the limit, the WPML extension, very popular with companies with bilingual websites, collects personal information about users, such as whether they are English or French-speaking.

Action to be taken

To achieve compliance, a number of actions need to be taken:

Install a cookie consent banner: This is not only good practice, but often a legal requirement.
Clear privacy policy: You need to detail the types of data collected and how they are used.
Appoint a person in charge: Someone within the company should be responsible for data management and incident tracking.
Maintain an incident log: To track and document any data security incidents.

How to create an effective consent banner

A successful banner must be both visible and non-intrusive, while providing all the necessary information. For WordPress users, this often means installing an extension.

Our choice of extension: Complianz

Arcane Evolution has evaluated several options for complying with Bill 25. After testing various free and paid extensions, our choice fell on“Complianz“.

Why choose Complianz

When new regulations are introduced, companies seek to adapt quickly. Complianz offers a free solution, but with limitations in terms of customization. Its pay version is affordable and comprehensive, and even includes an option specially designed for Quebec.

Would you like to get in line?

Arcane Evolution offers you the opportunity to make your WordPress website compliant today by installing and configuring the “Complianz” extension on your website. Contact us today or purchase the service directly.