September 22, 2022 marks the coming into force of certain provisions of the law to modernize private sector privacy legislation, also known as Act 25. This reform modernizes the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by the current digital and technological environment.

The amendments resulting from Act 25 promote transparency, particularly among public organizations, businesses and provincial political parties, as well as better control of citizens over their personal information. Additionally, other measures ensure better protection of their privacy, while taking into account today’s technological reality.



Act 25 and your organization

Act 25 aims, among other things, to:

  • Enhance the protection of personal information held by organizations
  • Increase citizens’s confidence in businesses
  • Support innovation by taking into account new technologies

Its entry into force brings new responsibilities and obligations as well as challenges that organizations must face. Here is a brief overview.

New responsibilities and obligations for organizations

  • Designate a Privacy Officer
  • Keep an incident log of all confidentiality incidents
  • Develop a privacy governance framework
  • Keep an inventory of personal information
  • Take the necessary measures regarding data portability and the right to be forgotten

Examples of challenges

Everyday organizations generate and manage vast amounts of data about clients, suppliers, employees, etc. In order to avoid penal and monetary administrative penalties, companies most become compliant with Act 25. It is crucial to adopt the right data governance program to ensure that you have the right processes in place.

The following are five common challenges faced by organizations regarding the actions that need to be taken to be compliant with Act 25.

  • Data and procedures subject to Act 25 have not been identified
  • Lack of visibility of all data and personal information held
  • No data classification
  • Few structured frameworks and formal controls
  • Lack of mechanisms to detect and manage a data leak



In order to establish a new culture of protection of personal information, organizations must adopt measures that mitigate the risks of infringement of the right to privacy of citizens.

Our governance program enhances the processes, systems and governance framework for the management and protection of personal information, in accordance with best practices and the requirements of Act 25. Whatever your challenge, we can guide you.

We propose a simple and pragmatic approach consisting of 3 steps. Each of these steps is made up of a series of activities carried out with the members of your organization.

Our approach

1. Assessment and action plan

2. Development and implementation

3. Monitoring and adjustments


Contact the Necando experts to find out more about our data governance program!


With Necando’s expertise and IBM technology, you can quickly deploy a governance strategy and be compliant with the personal information protection legislation. With IBM Cloud Pak for Data, bring your data governance strategy to the level required.

IBM Cloud Pak for Data enables you to automate the governance, protection and security of your data with active metadata. This technology offers the following advantages:

  • Drive consistent data understanding: Gain a better understanding of data while simplifying discovery, curation and access to governed data.
  • Manage policies and rules: Manage data policies, address regulatory compliance, promote audit readiness and maintain customer trust.
  • Automate data privacy and security at scale: Identify sensitive data and enforce data protection rules dynamically to control access to data assets across key endpoints within and outside the IBM platform.
  • Improve data quality: Address data quality issues with capabilities for profiling, cleansing, monitoring, matching, and enriching data.

Data governance is essential to an organization’s overall strategy for data management and as part of a complete DataOps practice. It helps you to know what data you have, where that data resides and how that data can be used while adhering to data privacy restrictions.





Discover our Data Governance Solution

Data Governance

Explore solutions tailored to your needs

Learn more