$25 million in penalties, lost sales, litigation… the new provisions of Law 25 on personal data, which come into force this Friday, risk harming our SMEs.
• Also read: Law 25: Personal data must be further protected
• Also read: Protection of personal data: SMEs need to prepare
“This may be the kick in the butt that companies need to better manage their data,” says Jean-François Renaud, president, partner and co-founder of the 110-employee firm Adviso, of Law 25.
Starting Friday, new rules under Bill 25 protecting Quebecers’ personal information will tighten the screws on 200,000 businesses.
“Failure to inform data subjects when collecting their personal data will result in a warning followed by a fine of $10 million or 2% of sales. This is huge,” emphasizes Jean-François Renaud from Adviso, which helps SMEs better control their data.
“If you try to identify a natural person with anonymized information without their permission, it could cost $25 million and 4% of revenue,” he adds.
Data in Excel
According to a study by the Interdisciplinary Cybersecurity Research Group (GRIC) at the University of Sherbrooke, barely 3% of SMEs meet the current requirements of the Personal Information Protection Act, but the task promises to be gigantic.
However, the risks associated with data loss or theft are very real.
From September 22, 2022 to March 31, 2023, the Commission for Access to Information (CAI) received more than 218 incident reports, of which 13% were due to human error (see table).
Photo provided by CAI
“Customer data is lying around in Excel files on every computer, no matter what, there is some, and it is really dangerous for the consumer,” image Jean-François Renaud from Adviso.
More difficult marketing
The consequences of the law will be difficult for companies, as they will be less able to sell their products than before thanks to the famous targeted marketing.
If fewer visitors to their website agree to share their data, it becomes much more difficult for a company to conduct targeted marketing.
“If companies are less able to remarketing, they will have fewer sales. You will be less efficient in marketing. It has a real impact,” analyzes Jean-François Renaud.
For Kateri-Anne Grenier, a lawyer at Fasken who specializes in data protection, companies are not yet ready, but they are trying.
In a sign that the issue is of concern, nearly 1,000 people attended an information session on the issue in Fasken on Wednesday, an unprecedented number.
Kateri-Anne Grenier, lawyer at Fasken. Photo provided by Fasken
“Companies feel like they have to do everything at once,” she summarizes.
No longer a jungle, small and large companies have to prove their skills when it comes time to use their customers’ valuable data.
“Profiling, geolocation, tracking… we need to give the user many more rights than before,” she explains.
“It will no longer happen in complete freedom and opacity,” she concludes.
What will change with Law 25 from Friday…
- Commitment to implementing personal information management policies and practices
- Obligation to provide information to the data subject if a decision is based solely on automated processing
- Obligation to inform the person when using identification, location or profiling technologies
- Anonymization of personal data
- New rules on consent
- Right to de-indexing (or right to deletion or forgetting)
Can you share information about this story?
Write to us or call us directly at 1 800-63SCOOP.