Law 25 — formally the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information — is now fully in force in Quebec. Every organization that collects personal information about Quebec residents is subject to it, regardless of size.
Most guides about Law 25 are written by lawyers for lawyers. This one is written for Montreal SMB owners and operators who need to understand their IT obligations and take practical action.
Key reminder: Law 25 applies to you if you collect personal information — customer contact forms, employee records, CRM data, email lists, billing info. If any of those apply, keep reading.
The 8-Point IT Compliance Checklist
1. Designate a Privacy Officer
Law 25 requires every organization to designate a Privacy Officer responsible for compliance. This defaults to your highest-ranking officer (CEO, managing partner) if you don't explicitly designate someone. The name must be published on your website. IT role: ensure your IT provider knows who this person is and that their contact info is accessible externally.
2. Complete a Data Inventory
You must know what personal information you collect, where it's stored, who has access, and how long you keep it. This is a joint IT and operations exercise. Your IT provider should be able to tell you every system that touches personal data — CRM, email, accounting software, HR tools, website forms.
3. Conduct Privacy Impact Assessments (PIAs)
Any time you acquire a new IT system, develop software, or overhaul an existing system that handles personal information, a PIA is required. Your IT provider should trigger this conversation whenever proposing new technology. Most Montreal SMBs have never run a PIA — but they're required for every major new system going forward.
4. Implement Appropriate Security Measures
This is where IT becomes compliance. Law 25 requires "appropriate" technical and organizational security measures, and you must be able to document them. At minimum for a Montreal SMB:
- Multi-Factor Authentication (MFA) on all systems with personal data
- Endpoint Detection and Response (EDR) — not legacy antivirus
- Encryption for data at rest and in transit
- Role-based access controls — people only access data they need
- Regular patch management
- Immutable backup with tested recovery
5. Publish a Privacy Policy
A plain-language privacy policy must be publicly accessible. It must explain what data you collect, why, how long you keep it, and how individuals can exercise their rights. Your IT provider should ensure your website reflects this accurately, including your CMS and any data collection tools.
6. Establish a Breach Response Protocol
When a data breach occurs, Law 25 requires notification to the CAI (Commission d'accès à l'information) and affected individuals within specific timeframes. You must have a documented breach response plan before a breach happens. Your IT provider should have an incident response procedure and you should have documented yours.
7. Manage Third-Party Vendor Agreements
Any vendor that handles personal data on your behalf — your cloud provider, payroll service, CRM vendor, marketing platform — must have a contract that addresses data protection obligations. Your IT provider is one of these vendors; they should be able to provide you with a data processing agreement.
8. Implement Data Portability Procedures
Individuals have the right to receive a copy of their personal information in a structured, commonly used format. Requests must be fulfilled within 30 days. Your IT team needs to know how to extract personal data from each system you operate.
What the CAI Actually Looks For
The Commission d'accès à l'information has been increasingly active since Law 25 came into full effect. Based on public guidance, they prioritize:
- Publicly accessible privacy policy (easiest thing to check)
- Evidence of Privacy Officer designation
- Documentation of security measures — not just claims, but provable controls
- Breach response plan and notification records
The CAI doesn't audit every business proactively — investigations are typically triggered by complaints. But a breach that isn't properly reported, or a complaint that reveals no controls exist, can escalate quickly.
4% of global revenue
for most Montreal SMBs
fully active
How to Get Compliant Without a Lawyer
Law 25 compliance has legal and IT dimensions. The legal side (privacy policy wording, breach notification drafting) may benefit from a lawyer review. But the bulk of the work is IT:
- Data inventory — IT-led exercise
- Security controls — IT implementation
- PIA process — IT and operations
- Breach response runbook — IT-led with management sign-off
- Vendor data processing agreements — IT identifies vendors, legal (or a standard DPA template) covers the agreement
A managed IT provider that understands Law 25 can complete your compliance baseline in 4–6 weeks. We've done it in under 30 days for Montreal law firms with zero prior documentation.
Not Sure Where Your Law 25 Compliance Stands?
Book a free 30-minute compliance call with Evolv I.T. We'll assess your current IT controls against Law 25 requirements and tell you exactly what needs to change — no obligation.
Learn About Our Law 25 Service