The new provisions of 2022, 2023, and very soon 2024 can make complying with Bill 25 seem like a real headache. It’s easy to get lost among the various effective dates and the resulting obligations.
In a nutshell, the law on the protection of personal information governs the management of personal information within companies: from its collection to its destruction, via its use, retention and communication. It thus governs the entire life cycle of personal information.
Although it may seem complex at first glance, the process of achieving compliance is often less cumbersome than it seems, and can be significantly optimized by an effective initial internal analysis of your situation regarding personal information protection. Ultimately, this evaluation will not only help you identify gaps related to the new obligations but also speed up the drafting of the necessary documents, whether internal policies or a privacy policy.
Here’s a summary of the steps our team suggests you take to carry out this initial analysis for complying with Bill 25.
Stages in the compliance process
The first question to ask in this process is: how is your personal information collected?
It’s crucial to have a clear overview of your means of collection, as this enables you to accurately identify the personal information you collect, while ensuring that your collection methods are compliant especially in relation to the consent of the individuals concerned).
- What is personal information?
- Information is considered personal when it concerns a natural person and makes it possible, directly or indirectly, to identify him or her. However, it is important to note that the law on personal information does not apply to professional information such as a person’s job title, work address, work e-mail or work telephone number. But beware! This does not exclude your employees’ personal information.
- What is a means of collection?
- Personal information can be collected in several ways:
- If you have a website, there are many ways to collect it, such as a contact form, newsletter sign-up, account creation, tracking tools like cookies, customer support chat, etc. Other means are also commonly used outside a website: by email, via paper or PDF forms, phone calls or social networks.
- Special mention: Don’t forget your human resources processes, including the e-mail address or sites through which you collect information from potential candidates, or your human resources forms for your employees.
- Personal information can be collected in several ways:
Please note that you may receive personal information already collected by your respective partners or customers. We invite you to contact us for further guidance on this subject.
Secondly, what personal information is collected through these means?
Once you’ve identified your means of collection, the next step is to list precisely what personal information is collected by each of them.
By drawing up a list of personal information for each means of collection, you ensure that nothing is overlooked and are better equipped to assign a specific use to each type of information (we’ll come back to this point below).
- Multitude of personal information: A company may collect a wide range of personal information. This may include identifying information (name, ID, government numbers, e-mail address), physical, behavioral or demographic characteristics, financial information, medical information, etc.
- Special mention: Remember that personal information created or inferred by your company is personal information that you collect. For example, a customer profile you generate.
Thirdly, how is this personal information used?
Having determined what you collect, it’s essential to assess how you use this personal information.
Firstly, this enables you to verify that the consent of the individuals concerned has been obtained for the purposes you have identified.
Secondly, it also ensures that any personal information collected is necessary for the purposes intended. A fundamental principle of privacy law is that an organization should only collect personal information if it is necessary for its Identified purposes of use. The term “necessary” should be interpreted as “indispensable” rather than “useful”. For example, while you may find it convenient to collect your clients’ Social Security Numbers (SINs) for identification in your systems, there are less sensitive alternatives that can serve the same purpose, making the SIN unnecessary in this context.
Fourthly, what are the means of keeping this personal information?
A key step in reviewing your internal practices is to examine how you store personal information. Is this information stored on paper, on a technological medium or on an online server? Is it stored internally or externally?
Whether you store personal information on internal servers or in the cloud, it’s crucial to ensure that this data is adequately protected. Listing your various means of keeping information will also help you assess your practice’s access to this information, retention period, as well as the destruction methods in place.
Fifthly, is this information disclosed to third parties?
Finally, it is crucial to identify to whom you are communicating this information. Be careful, you need to think broadly! A company may be tempted to think only of its business partners to whom it passes on personal information for the direct purpose of offering its services. However, it’s just as important to include your service providers, such as those who host your data (Google Drive, SharePoint, Dropbox, iCloud, etc.), your customer management tools, your online payment tools (PayPal, Stripe, Amazon Pay, etc.), your marketing tools (newsletters, CRM, etc.), your human resources departments, your emails, and more.
The simple act of storing personal information with a supplier is considered a communication within the meaning of the law on personal information. It is therefore essential to identify these suppliers, verify the protection guarantees they offer, and know where their servers are located.
Document the process
Documenting this process will give you a global view of your company’s practices for complying with Bill 25. This documentation will not only enable you to better identify the need for expert consultation, but will also speed up the drafting of the documents required for compliance. It will serve as the basis for creating or updating your privacy policy, as well as your internal policies.
Keep in mind that the personal data protection law is partly based on an obligation of means, requiring diligence in the use of your customers’ personal informationIn this sense, before seeking to comply with the new specific obligations, it is crucial to draw up a precise portrait of your current practices and to ensure your compliance with the basic legal obligations.
While having a privacy policy on your website is a legal requirement, it’s equally important that this policy accurately reflects your practices and that you respect what it says.