However, a recent FCCQ survey shows that 4 out of 10 companies do not understand the effects of Bill 64 on their activities, in a context where most companies only have a low level of maturity regarding data confidentiality management.
It is still fresh in Quebec's mind the massive theft of data of members of the Mouvement Desjardins, which demonstrated the consequences of negligent management of personal data.
Legislators certainly had this breach in mind when adopting Bill 64 on September 21, 2021, which modernizes the provisions applicable to the protection of personal information.
The law, inspired by the GDPR (General Data Protection Regulation) of the European Union, applies to any private or public company, within the meaning of the Civil Code of Quebec, which collects, holds, uses or communicates personal information.
According to the timeline below (available in French only), companies have until September 22, 2022 to appoint a privacy officer and have a privacy incident response plan.
They have until September 22, 2023 to adopt and disseminate a data governance policy, and until September 22, 2024 to comply with data portability, thereby allowing customers to retrieve their personal information.
The risks of penalties applicable in 2023 are now forcing companies to answer the following questions:
What is our current situation in terms of the protection of personal information?
What actions will we need to take to ensure our business is in compliance?
Since compliance gaps can be significant, and therefore long and complex to close, when are we going to launch the project?
And so, are we going to take the cautious approach of the tortoise, the hasty approach of the hare, or worse, the elusive approach of the ostrich?
You should adopt the tortoise strategy right away, because the road could be long, and the tasks and interdependencies too numerous for you to be able to skip any steps.
To be able to identify the changes you need to make and the resources you will need, you could take an approach that can be summarized as follows.
For many companies, especially SMBs, it will be a question of changing the way they think about data protection, and immediately increasing their level of cybersecurity.
This is because it has become more important than ever to put data privacy, and in particular data associated with personal information, into practice.
Doing this is a two for one! Not only are you adapting to the current threat landscape, but you are also preparing for PL 64 at the same time.