Quebec Law 25 — CapGRC guides you from assessment to compliance
Structure your Law 25 program with dedicated tools: PIAs, incident register, privacy policy and data subject rights.
What Law 25 requires
Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) imposes new obligations on Quebec organizations. CapGRC structures and automates your compliance.
Privacy Impact Assessments (PIA)
Conduct a PIA before any project involving personal information.
Privacy incident register
Document any privacy incident and notify the CAI if necessary.
Privacy policy
Publish a clear and accessible privacy policy.
Privacy officer
Designate a privacy officer and publish their contact information.
Data subject rights
Implement mechanisms to handle access, rectification and deletion requests.
Consent
Obtain free, informed and specific consent for the collection and use of personal information.
How CapGRC responds
Compliance timeline
September 2022
Officer designation, committee creation
September 2023
PIAs, incident register, new consent rules
September 2024
Right to portability, de-indexing, full enforcement
Recommended modules
Regulatory Compliance
Manage your Law 25, ISO 27001, PCI-DSS and other framework compliance from a unified interface.
Project Security
Integrate security from the start of your IT projects with systematic assessments and controls.
Third-party Risks
Assess, track and manage risks related to your vendors and partners throughout the relationship.
GRC Programs
Orchestrate your governance, risk and compliance program with a unified view and strategic dashboards.
Ready to ensure your Law 25 compliance?
Request a free consultation and discover how CapGRC can structure your compliance program.