Quebec’s Law 25 Regulation (Bill 64): Act To Modernize Legislative Provisions Regarding The Protection Of Personal Information
This Law represents a step change for how businesses in Quebec will need to manage and protect personal information. Some key requirements to have the highest operational impact on businesses include:
- Higher fines: The Law introduces new penal offences with significant fines of upwards of 4% of annual revenue.
- Stricter privacy requirements: This includes, among other requirements, mandatory assessment of privacy-related factors, assessments for sharing of personal information outside of Quebec to ensure adequate protection, “separate” and “granular” consent and new individual rights.
WHAT IS LAW 25?
Quebec’s act to modernize legislative provisions regarding the protection of personal information, also known as Law 25, first came into effect in September 2022 for its phase 1, with additional data handling requirements will come into effect in September 2023 and additional requirements in 2024.
This regulation, originating from the Quebec province, introduces privacy legislation which is part of Canada’s wider privacy reform.
Law 25 introduces new set of obligations and requirements for businesses, related to data protection and data security of Quebec residents. These new requirements include individual’s privacy rights, data breach notification, DPO appointment and other.
With the full law in effect, organizations will be expected to fully comply with the privacy requirements or face penalties of $25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater.
Quebec’s Law 25 applies to Quebec-based businesses as well as to external businesses processing the personal information of any number of Quebec residents, this means there is no minimum threshold to meet before the law’s requirements apply.
LAW 25 KEY REQUIREMENTS
Several new requirements were introduced in September 2023. These obligations require organizations to reassess their data protection and privacy program and capabilities, develop new policies and capabilities and introduce new controls in order to comply.
Subject rights under Law 25 are similar to the ones defined in the EU General Data Protection Regulation (GDPR). The following new subject rights will be effective by September 2023, with other rights, such as the right to data portability becoming effective in September 2024.
- Right to be informed
- Right to access collected information
- Right to privacy be default
- Right to rectification
- Right to erasure (Right to be Forgotten)
- Right to withdraw consent
- Right to restrict processing
- Right to data portability (effective September 2024)
Privacy officers should respond to requests within 30 days of receipt, with the possibility of an extension
The new additions to the law defines certain enhanced rules relating to individuals’ consent required prior to the collection, use, or distribution of personal information. Like the GDPR and other data privacy laws, Quebec’s data privacy law requires businesses to give consumers the choice of activating any technologies that may be used to track their personal information.
Requests consent must be done independently from any other information provided to the individual. Consent for some uses or disclosures of sensitive personal information must be given expressly. Parental approval must be obtained before collecting, using, or disclosing personal information about a minor under the age of 14.
Key requirements related to consent under Law 25 include:
- Free and informed
- Given for specific purposes
- Requested for each purpose
- Presented in clear and simple language
- Requested separately from any other information
- Given expressly for sensitive personal information
- Right to withdraw consent (applies within private sector only)
Under the new requirements stipulated in Law 25, organizations must report data breach to Le Commission d’accès à l’information du Quebec, and to any affected individuals. The organization is required to notify about a breach when unauthorized access of personal information is likely to cause a “risk of serious injury” to the individual as soon as possible after an incident occurs, and to maintain a full record of all security incidents.
A Data Protection Office (DPO) must be assigned by businesses in order to comply with Law 25. The law further specifies the responsibility of overseeing compliance to the highest senior employee. Organizations must publish the name, title, and contact information of the individual responsible on their website.
PRIVACY IMPACT ASSESSMENT
Organizations are required to conduct a Privacy Impact Assessment in certain events, such as when acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, keeping, or destruction of personal information. The Privacy Impact Assessment is required for all activities where personal information will be shared outside of Quebec. An assessment should include information relating to:
- The sensitivity of the information
- The purposes for which it is to be used
- The protection measures, including contractual ones, that would apply
- The legal framework applicable in the jurisdiction that the information is shared
SecuPi’s PRACTICAL APPROCAH TO IMPLEMENTING LAW 25 KEY REQUIREMENTS
Law 25 covers a wide range of topics related to data protection and digital operational resilience. It sets uniform requirements for the security of personal information and applies to organizations operating in Quebec or serving any number Quebec resident.
SecuPi offers a technology-agnostic data-centric security platform, specifically designed to address regulated organizations compliance, governance privacy and data-security requirements and regulations, offering a superset of capabilities, consistently enforced over on-premises, hybrid and cross-cloud platforms:
- Real-time visibility and user behavior analysis
- Fine-grained access control (ABAC)
- Deidentification of data, at rest & in-use
In the last years, SecuPi data security platform has been deployed at dozens of Global 2000 organizations, serving data-protection, security, privacy, governance and sovereignty requirements and use cases.
SecuPi Privacy Capabilities – Addressing LAW 25 Technical Requirements
SecuPi’s platform provides a practical, easy-to deploy solution for addressing multiple data-protection requirements and use cases across data privacy (e.g., consent, deletion, etc.), governance (fine grained access-control, protection in-use, etc.), sovereignty and data-security, seamlessly enforced across operation and analytical workloads, enabling secured and compliant data-operation across the organization business-processes, data-consumers, data-processing technologies and data-stores.
The platform’s provides simple and easy-to-use intuitive GUI to define data security policies (no application changes, no development and no schema changes), ensuring data-privacy and data-security policies are consistently enforced over PII and sensitive data. All access to data is monitored in real-time, with full visibility into every data processing and access transaction with full end-user context, user behavior analytics and forensics
CONSENT & RIGHT OF ERASURE ENFORCEMENT:
SecuPi provides a flexible way to allow organizations enforce granular consent as directed by the Law 25 regulations. Customers requests such as consent and right of erasure are recorded in a DSAR (Data Subject Access Requests) platforms, or within other systems. These platforms however lack the ability to actively enforce of the customer request across the organization landscape, rather they rely on SecuPi enforcement engine to apply a consistent policy for every customer consent, across any datastore, processing tools and data consumers.
SOLVING THE CONSENT COMPLEXITY
One of the challenges of consent enforcement in the on-going data flow between operational applications and analytical platforms. As data captured in the operational systems is collected for analysis, it is imperative to enforce the customer consent on BOTH the operational systems (e.g., CRM, Campaign) as well on the analytical platforms (Datalake, analytics workloads, etc.). Simply said, consent must be consistently applied across the organization IT stack, business-processes, data-processing tools and data-consumers.
SecuPi integrates with any external system or feed containing the customer opt-in/opt-out requests and using the Platform’s contextual ABAC, the customer consent decision is consistently enforced over the customer’s data, when processed across the organization. Furthermore, SecuPi provides the ability to ensure personal data of customers who opted-out will not be pushed as part of the on-going update from the operational systems to the analytical workloads.
ENFORCING RIGHT OF ERASURE
One of the most complex requirements within Law 25 relates to the customer’s right of erasure (RTBF). There are multiple considerations to take as time (retention), business and process, requiring both a well-defined implementation methodology and a technology solution that addresses them all:
- Dynamic retention time frames elapsed time plays a major factor in erasure management. There are specific mandated periods of time for specific actions to be taken to comply with various business and regulatory data retention requirements
- Application and Data Set Interdependencies: Applications, business-processes, data interrelationships can be broken if data records removal is not coordinated across platforms
- Privacy Principles: By definition, anonymized data cannot be deleted on request (or it is not anonymized) Which attributes need to be removed to achieve anonymization?
- Order of Action(s): The location and order that different actions must occur are critical to comprehensive compliance
To solve these challenges, SecuPi provides an extensive set of capabilities (soft-deletion, physical anonymization and physical deletion, retention workflow, and others), designed specifically to address the Right of Erasure requirement, while eliminating risks associated with data corruption, retention regulations and data-ops.
ADOPTING DATA CENTRIC SECURITY & PRIVACY
The law further describes other privacy rights such as Right to be informed, Right to access collected information and Right to privacy be default. Furthermore, the law also addresses information sharing, where similar controls and restriction should apply on Quebec residents’ information.
To effectively address these challenges, organizations must reevaluate the application of data privacy and data protection, and implement a data-centric security approach throughout their IT and business ecosystem.
MAPPING, DISCOVERY & CLASSIFICATION.
First, organization should map out all current strategies, policies and processes for managing data risks, along with roles and responsibilities for all related functions and coordination structures within their organization.
While mapping of policies and processes are labor consuming, they are critical part of the planning process and gaps analysis. SecuPi offers a set of sensitive data discovery and classification capabilities, these include:
- Application Driven Discovery and Classification
- Auto-discovery and classification engine – for datastore level discovery
- Out-of-the-box integration and seamless enforcement of policies over ISV data catalogs and data-discovery tools
All data access and data processing activities must be properly classified and systematized by relevance and priority in order to have a clear picture of the overall measures, tools, and processes involved, as well as their interdependencies, necessary to establish a solid action plan for compliance. SecuPi offers a context aware users activities monitoring and analysis, providing unmatched visibility into the end-to-end user activities across the organization and ICT technologies and users.
REAL TIME VISIBILITY WITH FULL END USER CONTEXT
A key requirement for any data security practice is gaining a consolidated, end-to-end visibility into all users and data consumers activities with the context in which the activity was executed. SecuPi platform provides visibility into every user’s activity with the full end user context, allowing fine-grained visibility into “who did what, where, and when” and to execute actions such as notification and remediation for unauthorized access and anomalous activities. SecuPi offers several key capabilities for real-time visibility:
(1) Monitor in real-time all personal and sensitive-data users access activity, while keeping detailed records of all access and access attempts. Detect anomalies and suspicious user behavior via User Based Analytics (UBA) to stop threats across high risk applications, alert the data controller in real-time and block malicious access attempts
(2) Providing a detailed audit trail, or in other words records of processing for each and every access to the data
(3) Provides consolidated view of any, and all-users access to sensitive data via the SecuPi platform, as well as by sending the information to the SOC team (SIEM)
(4) Providing granular information on the user’s request and the data accessed. Every user action can be recorded, stored and later be retrieved for forensics to obtain full contextual evidence and forensics of breach attempts. This data can be encrypted or masked for privacy regulations.
(5) Gain full visibility into DB activity through real time DB access monitoring. Actions can be invoked upon unauthorized access attempt such as kill session, notify, etc.
ENTITLEMENT, ACCESS-CONTROL & DE-IDENTIFICATION
Unauthorized access to data is a common privacy breach. Companies can prevent this by implementing an integrated Data Access Entitlement Model, encapsulating both Role Based Access Control (RBAC) and Attribute Access Control (ABAC) to enable real-life data-access scenarios, without compromising business operations and data security.
Another key pillar into data security is ensuring data is also protected from IT staff, third-party & cloud-administrators, managing the infrastructure organization data platforms. This means that data needs to be protected with additional layer of security, namely de-identification of data with full key-segregation while ensuring access on a need-to-know basis without compromising business operations.
De-identification is a wide term, covering an extensive set of methods to protect data, these include, among others, dynamic data masking, Physical Masking, Encryption, Tokenization, Pseudonymization, Annonymization, and others. Enforcing de-identification over data at-rest ensures access to the data is restricted for everyone, while allowing only selective users, with valid purpose, to gain access to the data. Ensuring DBAs, administrators, cloud providers and other third party contractors, cannot access sensitive data, even at the infrastructure layer.
De-identification is becoming even more important (and complex) for multi-national organizations, looking to leverage cloud data platform as an organization-wide analytics platform. Global operations means not only GDPR, CCPA and other privacy regulations but also data sovereignty. In such case, the notion of de-identification is further enhanced with the need for Segregation of Duties and Key Segregation, two important elements at the core of data-sharing and global data operations.
END-TO-END DATA SECURITY: SoD & HOLD YOUR OWN KEY
SecuPi enforce Secured cross-border data collaboration and data-sharing while seamlessly addressing data privacy and sovereignty requirements on Cloud platforms.
SecuPi Data Air-Locks are specifically designed to enable organizations keeps cloud data always secured. Seamlessly enforcing data privacy, sovereignty, and security requirements in cross-cloud environment, SecuPi ensures the data is protected from ingestion to consumption, with full key-segregation (HYOK) and is only decrypted in certain global locations and only for authorized users.
This approach allows organizations to easily govern and control all data access and data-processing transactions while enforcing full Segregation of Duties (SoD) on their Cloud data platforms and analytical workloads, ensuring that clear-text data is NEVER accessible globally, but can only be decrypted locally, on a ‘need-to-know’ basis, at a certain location.
SecuPi Data Air-Locks offer a future-proof technology with enhanced data security posture, ensuring data is never compromised while stored and processed on a cloud platform and reducing security TCO (Total Cost of Ownership).
SecuPi offers SEAMLESS END-TO-END DATA SECURITY ACROSS YOUR CLOUDS DATA OPERATIONS. FULL SOD. ZERO CODE. Enabling fast deployment of necessary controls over the organization’s infrastructure, enforcing LAW 25 security and regulatory technical requirements.