September 22, 2022 marks the coming into force of certain provisions of the law to modernize private sector privacy legislation, also known as Act 25. This reform modernizes the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by the current digital and technological environment.

The amendments resulting from Act 25 promote transparency, particularly among public organizations, businesses and provincial political parties, as well as better control of citizens over their personal information. Additionally, other measures ensure better protection of their privacy, while taking into account today’s technological reality.



Act 25 and your organization

Are you aware that the Private Sector Privacy Act has been amended in Quebec?

Act 25:

  • Modernizes old privacy provisions to better reflect today’s technological reality
  • Originally PL64, adopted in September 22, 2021
  • Gradual implementation over 3 years
  • First measures effective September 22, 2022
  • Next date: September 22, 2023


New responsibilities and obligations for organizations

Its entry into force brings new responsibilities and obligations as well as challenges that organizations must face. Here is a brief overview.

Since September 22, 2022, you must, among other things:

  1. Designate a Privacy Officer
  2. In the event of a confidentiality incident involving personal information:
    a. to take reasonable measures to reduce the risk of harm being caused to the persons concerned and to prevent new incidents of the same nature from occurring;
    b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
    c. keep a register of incidents, a copy of which must be sent to the Commission at its request.


From September 22, 2023, you must, among other things:

  1. Have established policies and practices governing the governance of personal information
  2. Respect the new rules surrounding consent to the collection, communication or use of personal information
  3. Destroy personal information when the purpose of its collection is accomplished, or anonymize it to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law
  4. Respect the right to cease dissemination, re-indexing or de-indexing (or right to be forgotten)


Why is the protection of personal information important?

  • Improve public confidence in the company
  • Meet customer expectations and develop a competitive advantage
  • Listening to employee concerns
  • Reduce the risk of a privacy incident
  • Meet legal obligations
  • Be an exemplary corporate citizen


Examples of challenges

Everyday organizations generate and manage vast amounts of data about clients, suppliers, employees, etc. In order to avoid penal and monetary administrative penalties, companies most become compliant with Act 25. It is crucial to adopt the right data governance program to ensure that you have the right processes in place.

The following are five common challenges faced by organizations regarding the actions that need to be taken to be compliant with Act 25.

  • Data and procedures subject to Act 25 have not been identified
  • Lack of visibility of all data and personal information held
  • No data classification
  • Few structured frameworks and formal controls
  • Lack of mechanisms to detect and manage a data leak


In order to establish a new culture of protection of personal information, organizations must adopt measures that mitigate the risks of infringement of the right to privacy of citizens.

Our governance program enhances the processes, systems and governance framework for the management and protection of personal information, in accordance with best practices and the requirements of Act 25. Whatever your challenge, we can guide you.

We propose a simple and pragmatic approach consisting of 3 phases. Each of these steps is made up of a series of activities carried out with the members of your organization.

Our approach

  1. Quick Wins
  2. Enhanced Compliance
  3. Ongoing Privacy and Data Governance

Contact the Necando experts to find out more about our data governance program!


With Necando’s expertise and IBM technology, you can quickly deploy a governance strategy and be compliant with the personal information protection legislation. With IBM Cloud Pak for Data, bring your data governance strategy to the level required.

IBM Cloud Pak for Data enables you to automate the governance, protection and security of your data with active metadata. This technology offers the following advantages:

  • Drive consistent data understanding: Gain a better understanding of data while simplifying discovery, curation and access to governed data.
  • Manage policies and rules: Manage data policies, address regulatory compliance, promote audit readiness and maintain customer trust.
  • Automate data privacy and security at scale: Identify sensitive data and enforce data protection rules dynamically to control access to data assets across key endpoints within and outside the IBM platform.
  • Improve data quality: Address data quality issues with capabilities for profiling, cleansing, monitoring, matching, and enriching data.

Data governance is essential to an organization’s overall strategy for data management and as part of a complete DataOps practice. It helps you to know what data you have, where that data resides and how that data can be used while adhering to data privacy restrictions.





Discover our Data Governance Solution

Act 25

Comply now!

Contact us