Law 25 Cybersecurity Checklist for Quebec Small Businesses

What Is Law 25 and Why Should You Care?

Law 25 (formerly Bill 64) is Quebec's modernized privacy law. It applies to every business operating in Quebec that collects, uses, or stores personal information. No minimum size. No exemptions for small businesses.

The law rolled out in three phases between September 2022 and September 2024. All obligations are now in effect. Non-compliance can result in fines of up to $25 million or 4% of worldwide turnover, whichever is higher.

If you're a small business in Quebec and you haven't reviewed your data practices since 2022, this checklist is for you.

The Compliance Checklist

1. Designate a Privacy Officer

• Every organization must have a designated person responsible for the protection of personal information
• By default, this is the highest-ranking person in the organization (CEO/president)
• You can delegate the role, but it must be documented
• Their title and contact information must be published on your website

2. Have an Incident Response Plan

• You must have a written procedure for handling confidentiality incidents (data breaches, unauthorized access, loss of data)
• If an incident presents a risk of serious injury, you must notify the Commission d'acces a l'information (CAI) and the affected individuals
• You must maintain a register of all confidentiality incidents, even minor ones
• The register must be available for inspection by the CAI

3. Conduct a Privacy Impact Assessment (PIA)

• Required before any project involving the collection, use, or disclosure of personal information
• Required before acquiring or implementing new information systems that handle personal data
• The assessment must evaluate the necessity of the collection, the risks, and the safeguards

4. Implement Consent Mechanisms

• Consent must be explicit, free, and informed
• You must clearly state why you're collecting the information and how it will be used
• Separate consent is required for each distinct purpose
• People must be able to withdraw consent easily
• For sensitive information (health, biometrics, financial), consent must be obtained separately and expressly

5. Publish a Privacy Policy

• Must be written in clear and simple language
• Must describe what information you collect, why, how it's used, how long it's kept, and who has access
• Must include contact information for your privacy officer
• Must be easily accessible on your website

6. Establish Data Retention and Destruction Rules

• Personal information must be destroyed or anonymized once the purpose for which it was collected has been fulfilled
• You must have a documented retention schedule
• Destruction must be secure (not just deleting a file)

7. Enable Data Portability and Access Rights

• Individuals have the right to access their personal information held by your organization
• They have the right to request correction of inaccurate information
• They have the right to data portability (receiving their data in a structured, commonly used format)
• You must respond to these requests within 30 days

The Security Checklist

Law 25 requires "reasonable security measures." For a small business, that means at minimum:

Access Controls

• Every employee has their own account (no shared logins)
• Multi-factor authentication (MFA) on all email, VPN, and cloud accounts
• Admin access limited to those who actually need it
• Former employees' access revoked within 24 hours of departure

Data Protection

• Data encrypted in transit (HTTPS, TLS for email) and at rest (encrypted drives, encrypted backups)
• Regular backups with tested restore procedures
• Backups stored in a separate location from primary data
• Sensitive documents not stored on personal devices or consumer cloud storage

Network Security

• Firewall configured and maintained (not just the default ISP router)
• Wi-Fi network segmented (guest network separated from business network)
• All systems and software patched and updated regularly
• Antivirus/EDR on all endpoints

Employee Awareness

• Basic cybersecurity training for all employees (at minimum: phishing, passwords, social engineering)
• Clear policy on acceptable use of company systems
• Procedure for reporting suspicious activity

Common Gaps in Quebec SMBs

Based on our experience, these are the most common issues we see:

1. No privacy officer designated. Many owners don't realize they're the default privacy officer and have specific obligations.
2. No incident register. Even if you've never had a breach, the register must exist.
3. Consent language copied from a US template. Quebec's consent requirements are stricter than most US/Canadian equivalents. Generic privacy policies don't comply.
4. Shared admin accounts. One admin login shared by three people makes it impossible to trace who did what. This is a compliance and security failure.
5. No backup testing. Having backups is step one. Knowing they actually work is step two. Many SMBs have never tested a restore.
6. Outdated firewall rules. The firewall was set up three years ago and nobody has reviewed the rules since. Default rules, open ports, no logging.

What to Do This Week

If you're starting from scratch, here are the five most impactful things you can do immediately:

1. Designate a privacy officer and publish their contact information on your website
2. Create an incident register (even a simple spreadsheet to start)
3. Enable MFA on all email and cloud accounts
4. Review who has admin access to your systems and remove anyone who doesn't need it
5. Write a basic privacy policy and publish it on your website

These five actions take a day or less and cover the most critical compliance and security gaps.

Related Reading

• How Much Does an IT Consultant Cost in Montreal in 2026?
• 5 Automations Every SMB Should Implement Before Hiring

Need Help Getting Compliant?

We help Quebec businesses assess their security posture and build practical compliance plans. Not 200-page frameworks that sit on a shelf. Actionable checklists, real fixes, and measurable improvements.

Get in touch and let's figure out where you stand and what needs to happen next.