By Sabrina Leung
On September 22, 2023, amendments introduced by Bill 25 modernizing the Act respecting the protection of personal information in the private sector (hereinafter referred to as the “Act”) came into force. For Quebec companies, this means new measures to protect the public’s privacy with regard to their personal information.
Personal Data Governance
In order to comply with the new obligations set out in the LPR, a company will now need to have established policies and practices governing the governance of personal information, notably with a view to ensuring its protection and sound management.
It should be noted that the scope of application of the LPR covers any person operating a business, whether commercial or not, and regardless of its size. However, the measures provided for in the LPR must be proportionate to the reality of the business and its activities.
Assessing Risk Factors
In practice, this entails an obligation for the company to carry out a customized privacy impact assessment for any activity involving the management of any personal data, whether of customers or employees. Such an assessment involves, among other things, identifying situations in which personal data is at stake. Such an assessment involves, among other things, identifying situations in which personal data is at stake. The activities concerned are, for example, those involving the collection, use, communication, protection, destruction or anonymization of personal data.
Objectively speaking, a privacy impact assessment enables a company to identify its main privacy risk factors. Mitigating such risks then requires the implementation of well thought-out processes, contextualized to the company’s reality. While one-off risks are those with the greatest probability of occurrence, it is often systemic risks that pose the greatest risk in the event of their occurrence, both for the company itself and for the public.
These recent measures are in addition to those already in place since September 2022, notably the one requiring the designation of a Privacy Officer. This person can, directly or indirectly, coordinate the implementation of processes within the company.
Such processes make it possible to encompass the entire lifecycle of personal data within a company. In this way, it will be relevant to question the relevance and initial necessity of the very entry of personal data into the company, and then its management and end-of-life.
Risk Mitigation
Adequate risk mitigation implies a cohesive and proportionate system for managing confidentiality incidents. This includes keeping an incident register. While preventing such incidents remains the key, a rigorous process for identifying and managing incidents should they occur is vital. Indeed, not all incidents represent a serious risk, but if they do, certain situations require that the incident be disclosed to the Commission d’accès à l’information.
Law Enforcement
It is the Commission d’accès à l’information which is responsible for verifying and applying the measures set out in the LPR. These new legislative provisions are therefore not to be taken lightly. In particular, the Commission can impose penalties of up to $25 million, or the equivalent of 4% of a company’s worldwide sales. In addition, certain breaches may result in the personal liability of a company’s directors. In addition, certain breaches may result in the personal liability of a company’s directors. It should be noted, however, that the new legislative measures do not require the absence of incidents, but rather the implementation of adequate measures, depending on the company’s context, to provide a framework for the protection of personal data.
This makes it all the more important for companies to challenge their processes, and allow themselves the flexibility to improve them if necessary, particularly following the occurrence of an incident. Like the world around it, a company grows and evolves over time, and its adaptability is often the key to success. Remember, it’s the processes that serve the company, not the other way around.
If you have any questions concerning the development or implementation of such processes at the heart of your company, or if you need clarification concerning the LPR, please do not hesitate to contact a member of our team!
CMKZ thanks Florence Beauregard, articling student, for preparing this article.