Law 25 readiness self-check
Is your business ready for Quebec’s Law 25? Since September 2023, every private-sector organization that handles the personal information of Quebec residents has had clear, enforceable obligations — with penalties reaching into the millions for serious violations. This free 2-minute self-check walks you through 10 of the law’s core requirements. Answer honestly: nothing is saved, sent, or tracked — the entire assessment runs in your browser.
This self-check is provided for information only and is not legal advice.
Ten core Law 25 obligations
The self-check gauges your readiness against ten foundational requirements of Quebec’s Law 25:
- A named privacy officer (RPRP), with published contact information
- A published privacy policy, in clear language
- Clear, free and informed consent, sought by purpose
- An up-to-date inventory of the personal information you hold
- A breach-response plan and a register of confidentiality incidents
- Privacy impact assessments (EFVP)
- Defined retention periods and a secure destruction process
- Assessment of third-party and outside-Quebec transfers
- Staff training and awareness
- A process for access, correction and portability requests
The self-check scores out of 20 across three bands: 0–7 "at risk" (significant gaps), 8–14 "on your way" (gaps to close), and 15–20 "strong footing" (keep it current, since compliance is continuous).
Go deeper: read Quebec Law 25, explained for SMBs, see our Law 25 compliance service or, if you’re local, our Law 25 help in the Outaouais.
Frequently asked questions
What does the Law 25 self-check measure?
The self-check covers ten core obligations of Quebec’s Law 25: naming a privacy officer (RPRP), a published privacy policy, clear consent at collection, an inventory of the personal information you hold, a breach-response plan and incident register, privacy impact assessments (EFVP), retention and destruction periods, assessment of third-party and outside-Quebec transfers, staff training, and a process to handle access, correction and portability requests.
How is the score calculated?
Each answer is worth 0 to 2 points, for a total out of 20. From 0–7, your organization has significant gaps; 8–14, you’re on your way with gaps to close; 15–20, your posture is strong and the goal becomes keeping it current. Everything is calculated in your browser — nothing is saved or sent.
What should I do after the self-check?
The self-check highlights your highest-risk gaps. The usual next step is a Law 25 gap analysis: a clear picture of where you stand and a prioritized roadmap. IT Sincennes — a Canadian-owned firm in Ottawa and Gatineau, where your data stays in Canada — can carry out that work in English or French.