Adopted by the National Assembly on September 21, 2021, the Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (Bill 64) now imposes additional obligations on all businesses and organizations to protect the personal information of individuals or organizations with whom they do business.
But what is the impact of these obligations on SMBs?
In 2019, almost all (99.8%) of Quebec businesses were SMBs, that is, they had fewer than 500 employees, and more than half of those (53.0%) had fewer than 5 employees.
INSTITUT DE LA STATISTIQUE DU QUÉBEC
Science, technologie et innovation, July 13, 2020
Information technology provides a significant competitive advantage for these small organizations, both in terms of visibility and effective management of operations. This advantage is also accentuated by cloud technologies that are easy to access and require only minimal investment for the organization.
Often working with limited resources, most of these small firms generally do not have an information technology specialist on their workforce, although some have opted for managed IT services. The changes brought about by Bill 64 mean that any business or organization operating in the province and who collect or maintain information on their customers, members or partners will be required to take specific steps to ensure the protection of the personal information they hold. These steps will most likely include changes to existing information systems and may sometimes require de deployment of additional technologies.
In general terms, this law imposes on companies of any size the following obligations (this list is by no means exhaustive):
ACCOUNTABILITY - The organization must appoint a privacy officer, responsible for the protection of personal information ("PI").
GOVERNANCE - The organization must adopt, enforce and publish its governance rules with respect to the collection and protection of PI. It will therefore need to inform the citizen of the nature of the PI collected, the means by which the PI is collected, their rights, the retention period of the PI, and the contact details of the privacy officer.
DISCLOSURE - The company has an obligation to disclose any cyber incident that could compromise the PI it holds. It must also, in the event of an incident, take the necessary measures to minimize the impact of the incident on the individuals concerned, and also to prevent future similar incidents. Finally, the company must maintain an up-to-date record of all cyber incidents involving any PI it collects.
CONSENT - The company must obtain explicit and informed consent from each individual whose PI it collects, separately for each use it intends to make of it. It must explain in simple and clear terms the use that will be made of the PI. In return, the individual must take a concrete action to signify his or her consent (fill out a form, check a box, answer "yes" to a question).
DESTRUCTION OF INFORMATION - The company has an obligation to destroy the PI collected when the purposes for which it was collected are fulfilled.
Compliance with these new requirements involves two components:
LEGAL COMPONENT - Businesses will first need to confirm with their legal advisor that the measures they intend to adopt will comply with the law and the spirit of the law. This applies, for example (but not limited to) the drafting of a privacy policy, the nature of the PI the company intends to collect, and the use it intends to make of it.
TECHNOLOGY COMPONENT - Once these parameters are established, under the technological component, the company will need to review all of its IT systems, whether cloud or on-premises, and make the necessary adjustments. For example, such adjustments include (but are not limited to): adding their privacy policy to their website or on social media, adding or modifying the mechanisms required for consent, or putting in place data protection mechanisms.
Nexop may from time to time provide information and resources to users, including, but not limited to, references to legal or legal resources. The provision of such information or references should in no way be construed as the provision of legal advice or guidance. Nexop encourages users to consult a lawyer for legal advice or guidance in connection with content offered by Nexop.