Before starting on the important dates, do you know that companies must ensure that the third-party suppliers with whom they do business for the processing of personal information subscribe to confidentiality obligations (written agreement). These third parties agree to take the necessary steps to use the information only for the purposes for which it was collected and for no other purpose, to destroy it once the use for which the information was collected has been fulfilled, and in no case to pass it on to a third party. The company is responsible for its supplier, even if they have an agreement. If the supplier is from outside the province, the company must enter into an agreement and carry out a privacy impact assessment to analyze the risk and ensure that, in doing business with this supplier, it will adequately meet the objectives of Bill 25.
- Personal information affected by the incident
- Under what circumstances did the incident occur?
- The date of the incident
- The date on which the company became aware of the incident
- Number of people affected by the incident
- The level of seriousness of the incident (low, medium, high or serious)
- Measures taken by the company
Consent is a big part of Bill 25. Companies will have to obtain clear consent from users before collecting personal information. Users may withdraw their consent at any time, in which case the company has 30 days to delete the information from its databases. In addition, the company must delete or anonymize the information as soon as collection is complete. All customers must have access to their personal data and have the right to modify or delete it.
What to do or not to do, that's the question
- Did you know that a date of birth is personal information? We’re not saying don’t wish someone a happy birthday at the office, but if you do it on social networks (on the birthday boy’s wall, for example) it could be considered a disclosure of personal information. Proceed with caution!
- Following on from the previous point, be careful what you share on social networks. Limit the information you share, and make sure you really know everyone on your friends list.
- NWe know it’s tempting, but public Wi-Fi is your worst enemy. It’s a huge gateway for hackers.
- It may seem trivial to some, but the simple act of sending an e-mail with several people in carbon copy (CC) is considered a communication of unauthorized personal information, since the e-mail addresses are visible to all the recipients of the. You can remedy this problem by making all your recipients invisible carbon copies (ICC).
Advantages and disadvantages
A new right for citizens
Actions to be taken
- If you are not familiar with Bill 25, we strongly recommend that you take a training course (Psst, we provide this training 😉 )
- Identify the services you need to accompany you through the compliance process. We don’t recommend doing this in-house if it’s not clear to you.
- Once the services have been identified, a compliance audit is in order. This will establish the steps that still need to be taken to achieve compliance, and draw up a game plan based on priorities.
- Appointing a data manager. This must be done in writing.
- Drawing up a contingency plan in the event of an incident. This plan will enable you to take steps to minimize the risk of an incident. This plan should include everyone’s tasks and who to call in the event of an incident. There is no such thing as zero risk; you have to be prepared. We strongly recommend that you practice it; an incident simulation might be a good idea. It’s not an emergency plan if you don’t know how to apply it, is it? Very important: have a hard copy on hand. It’s hard to access them via your computer if they’re encrypted.
- Review your privacy policies. They should cover how personal information is handled and protected, and who to contact if you have any questions or complaints.
- Have governance rules, such as clear consent, the retention and destruction cycle of personal information, how data is protected within the company, the responsibility of everyone in the company and the responsibilities of the person in charge.
- A review of agreements with third-party suppliers, to ensure that everything is compliant and that information is well protected.
- Most importantly, employee training. The weakest link is undoubtedly the human factor. An incident can happen very quickly if an employee clicks on a link in an e-mail that they thought was safe.