Quebec Law 25 compliance for small and mid-sized businesses
Since September 2023, every Quebec business that handles personal information has new obligations under Law 25. We make them practical — naming your privacy officer, writing the governance, running privacy impact assessments and putting breach reporting in place. Led in French and English, by a local firm.
Law 25 (formerly Bill 64) modernized Quebec’s private-sector privacy law and rolled out in stages from 2022 through 2024. The core obligations that took effect in September 2023 apply to organizations of every size — including the SMBs across the Outaouais and the National Capital Region that don’t have a full-time privacy team to absorb them.
The law is principle-based, not a checklist, which is exactly why it trips up smaller businesses: you need a named accountable person, written governance, a way to assess privacy risk before you launch projects, and a tested process for the day a breach happens. We turn those requirements into a short, prioritized plan — and, if you want, we stay on as your outsourced privacy office so it keeps working after the documents are signed.
Because we’re Canadian-owned and keep client data in Canada (Azure Canada Central/East, AWS ca-central-1), we can also help you answer the cross-border and data-residency questions Law 25 now forces you to ask before sharing personal information outside Quebec.
| In force since | Obligation | What it means for you |
|---|---|---|
| September 2022 | Named privacy officer (RPRP) and confidentiality incidents | Designate the accountable person and publish their title and contact details; assess incidents, keep a register, and notify the Commission d’accès à l’information and affected individuals when there’s a risk of serious injury. |
| September 2023 | The core wave: governance, EFVP, consent, transparency | Written, published policies; privacy impact assessments (including before any transfer outside Quebec); stricter consent rules; transparency at the point of collection; the de-indexing right — and the penalty regime taking effect. |
| September 2024 | Data portability | Individuals can request their computerized personal information in a structured, commonly used technological format. |
Law 25 compliance, made practical
Privacy officer (RPRP)
The law requires a person in charge of protecting personal information. We help you name a Responsable de la protection des renseignements personnels (RPRP) and publish their role — or we act as your outsourced privacy officer.
Privacy impact assessments (PIA / EFVP)
Law 25 requires an évaluation des facteurs relatifs à la vie privée before you acquire a system that handles personal information or transfer it outside Quebec. We run the EFVP, document the risks and recommend mitigations.
Governance policies
We draft the governance Law 25 expects — internal policies and practices for personal information, retention and destruction schedules, and the public-facing privacy notice your clients can actually read.
Breach reporting & register
When a confidentiality incident poses a risk of serious injury, you must notify the Commission d’accès à l’information and affected individuals — and keep a register of incidents. We build the process, the templates and the register before you need them.
Consent & individual rights
Clear consent, transparency at the point of collection, and new rights — access, correction, de-indexing and data portability. We map how you collect and use personal information and fix the gaps in plain language.
Cross-border transfers & data residency
Before personal information leaves Quebec it must be assessed. As a Canadian-owned firm that keeps data in Canada (Azure Canada Central/East, AWS ca-central-1), we help you evaluate transfers and choose options that keep data home.
Frequently asked questions
Does Law 25 apply to small businesses?
Yes. Law 25 applies to virtually every private-sector enterprise in Quebec that collects, holds or uses personal information, regardless of size — there is no employee-count exemption. The core obligations have been in force since September 2023 — and the first wave, including naming a privacy officer and reporting serious confidentiality incidents, since September 2022. Smaller businesses simply need to scope the effort to their size, which is exactly what we help with.
What are the penalties for not complying with Law 25?
Law 25 carries some of the toughest privacy penalties in Canada. The Commission d’accès à l’information can impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover, and penal fines can reach $25 million or 4% of worldwide turnover for the most serious offences — whichever is higher. The law also created a private right of action for damages. The practical risk for an SMB is usually a complaint or a reported breach that exposes missing governance, which is why having the basics in place matters.
What is an EFVP (privacy impact assessment) and do we need one?
An EFVP — évaluation des facteurs relatifs à la vie privée, or privacy impact assessment — is a structured review of the privacy risks of a project. Under Law 25 you must conduct one before acquiring, developing or overhauling an information system that handles personal information, and before transferring personal information outside Quebec. We run the EFVP, document the risks proportionate to the project, and give you the mitigation steps and the record to keep on file.
Can you act as our privacy officer (RPRP)?
Yes. If you’d rather not assign the role internally, we can serve as your outsourced privacy officer — the named Responsable de la protection des renseignements personnels — handling requests, incident assessments, the incident register and ongoing governance. It pairs naturally with our virtual-CISO service, giving you privacy and security leadership at a fraction of a full-time hire, in French and English.
How much does Law 25 compliance cost for an SMB?
There’s no flat rate — the cost turns on the size of your organization, the volume and sensitivity of the personal information you hold, how mature your current governance is, and whether you outsource the privacy-officer (RPRP) role or keep it in-house. An SMB that already has policies and a named officer has far less ground to cover than one starting from zero. We begin with a short gap review to frame the work, then give you a clear fixed fee with no surprises, sized to your situation.
Is there financial help for Law 25 compliance?
Subsidized cybersecurity and Law 25 support has been available to Quebec SMBs through the province’s network of college technology-transfer centres (CCTT) — for example CyberQuébec, affiliated with Cégep de l’Outaouais and funded by the Government of Quebec. Specific programs change over time (the MaLoi25 program, for instance, ended in 2025), so we help you identify what’s currently available and confirm your eligibility, then carry out the compliance work itself — EFVP, governance and privacy officer.
Further reading: Quebec Law 25, explained for SMBs · Data residency vs. sovereignty
In the region: Law 25 compliance in the Outaouais — delivered locally, in person
Not sure where you stand on Law 25?
Let’s start with a short Law 25 gap review and a clear, prioritized plan scoped to your business.
Get in touch