Skip to content
FortaRisks
All toolsQuebec · Law 25

Law 25 readiness assessment

In a few minutes, gauge your compliance with Quebec's personal information protection law, and leave with your priorities.

≈ 5 minutes · no sign-up

Law 25 applies to any organization that handles personal information in Quebec. Answer the 18 statements below honestly: everything is computed in your browser, and no answer is stored or sent.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.Governance and accountability

A person in charge of the protection of personal information is designated, and their title and contact details are published on your website.

A person in charge of the protection of personal information is designated, and their title and contact details are published on your website.

You have established and published governance policies and practices covering the retention, destruction and handling of personal information.

You have established and published governance policies and practices covering the retention, destruction and handling of personal information.

You keep an up-to-date inventory of the personal information you hold (nature, purposes, location, access).

You keep an up-to-date inventory of the personal information you hold (nature, purposes, location, access).

At the point of collection, you inform individuals of the purposes, the means used, their rights and the third parties the information may be shared with.

At the point of collection, you inform individuals of the purposes, the means used, their rights and the third parties the information may be shared with.

Consent is requested in a clear, free and informed way, separately for each purpose and in plain terms.

Consent is requested in a clear, free and informed way, separately for each purpose and in plain terms.

Express consent is obtained for sensitive personal information (e.g. health or biometric data).

Express consent is obtained for sensitive personal information (e.g. health or biometric data).

3.Individual rights

You have a process to respond to access and rectification requests within the required timeframe (30 days).

You have a process to respond to access and rectification requests within the required timeframe (30 days).

You can provide, on request, computerized personal information in a structured, commonly used technological format (data portability).

You can provide, on request, computerized personal information in a structured, commonly used technological format (data portability).

You handle requests to stop dissemination, re-index or de-index information (right to be forgotten).

You handle requests to stop dissemination, re-index or de-index information (right to be forgotten).

4.Confidentiality incidents

You keep a register of confidentiality incidents, retained and available on request from the Commission d'accès à l'information (CAI).

You keep a register of confidentiality incidents, retained and available on request from the Commission d'accès à l'information (CAI).

You have a process to assess the "risk of serious injury" of an incident and, where applicable, promptly notify the CAI and affected individuals.

You have a process to assess the "risk of serious injury" of an incident and, where applicable, promptly notify the CAI and affected individuals.

Your incident response plan (containment, notification, corrective measures) is documented and tested.

Your incident response plan (containment, notification, corrective measures) is documented and tested.

5.Privacy impact assessments & transfers

You conduct a privacy impact assessment (PIA) for projects to acquire, develop or overhaul information systems involving personal information.

You conduct a privacy impact assessment (PIA) for projects to acquire, develop or overhaul information systems involving personal information.

Before disclosing personal information outside Quebec, you assess whether protection there is adequate and frame the transfer accordingly.

Before disclosing personal information outside Quebec, you assess whether protection there is adequate and frame the transfer accordingly.

When a decision is based exclusively on automated processing, you inform the individual and let them have the decision reviewed.

When a decision is based exclusively on automated processing, you inform the individual and let them have the decision reviewed.

6.Security and lifecycle

You protect personal information with reasonable security measures, and the highest confidentiality settings apply by default in your products and services offered to the public.

You protect personal information with reasonable security measures, and the highest confidentiality settings apply by default in your products and services offered to the public.

Personal information is destroyed or anonymized once its purpose is fulfilled, according to a defined retention schedule.

Personal information is destroyed or anonymized once its purpose is fulfilled, according to a defined retention schedule.

Your agreements with agents and processors include personal information protection clauses.

Your agreements with agents and processors include personal information protection clauses.

Answer every statement to reveal your score.

FAQ

What is Law 25?

Law 25 (formerly Bill 64) modernizes the protection of personal information in Quebec, across the private and public sectors. It requires, among other things, a person in charge of personal information protection, confidentiality incident management, privacy impact assessments and new rights for individuals.

Who is subject to it?

Any enterprise carrying on activities in Quebec that collects, holds, uses or communicates personal information, regardless of its size or sector.

What are the key deadlines?

Obligations came into force in stages: September 2022 (privacy officer, incident reporting), September 2023 (most obligations: consent, PIA, transparency) and September 2024 (right to data portability).

What are the penalties for non-compliance?

Administrative monetary penalties can reach CA$10M or 2% of worldwide turnover, and penal fines CA$25M or 4% of worldwide turnover, whichever is higher.

Does this assessment replace legal advice?

No. This self-assessment is an indicative tool to gauge your maturity and prioritize your actions. It does not constitute legal advice; validate your compliance with a qualified advisor.