Home Blog
Services

Our Services

A neutral expertise for every step of your technological maturity, from crisis management to strategic planning.
IT Audit
IT Audit
IT Audit
IT Budget Audit
IT Budget Audit
IT Budget Audit
vCIO
vCIO
vCIO
Counter-Expertise
Counter-Expertise
Counter-Expertise
Backup Test
Backup Test
Backup Test
Discover all our services
ContactSchedule a call
Français
HomeBlogServicesContactSchedule a call
Français

Law 25 Compliance — Protect your organization, not just your documents

Data mapping, operational processes, gap analysis, and concrete governance — in collaboration with your partner lawyer.

Law 25 compliance is a structured engagement to implement the obligations of Quebec's Act respecting the protection of personal information in the private sector, on the IT and governance side. Factero performs data mapping, implements incident management and access request processes, and secures your systems. Important: this service covers the IT side — we don't replace legal advice, but work in collaboration with your legal team.
Talk to an expert

Who is it for?

Quebec municipalities, RCMs and public bodies subject to the Act respecting access to documents held by public bodies and the protection of personal information — seeking to structure their compliance in a concrete and lasting way. Factero Service Conseil is registered on SEAO (Quebec) and the Ontario Tenders Portal (Ontario).

SMEs operating in Quebec, subject to the Act respecting the protection of personal information in the private sector (L.P.R.P.S.P.) — seeking to structure their compliance in a concrete and lasting way.

Organizations coming out of an audit that need to address compliance gaps under the private sector Act as amended by Law 25.

Nonprofits and associations that collect member, beneficiary, or donor data and have never structured their compliance.

Professional firms — accountants, lawyers, notaries, clinics — that manage sensitive client files and whose professional confidentiality obligations intersect with Law 25 requirements.

Cooperatives and community organizations that process personal information through their activities and need to comply without a dedicated IT department.

Growing companies whose collection of personal information has expanded and who need to structure their Law 25 compliance for the first time.

Designated PPO without mapping or processes — IT, HR, or finance manager named as PPO who must deliver results to management without a dedicated IT department, seeking concrete operational infrastructure to fulfill their mandate.

When does it help?

If you recognize yourself in any of these situations, this service is designed for you.
  • Your organization does not yet have a mapping of its personal information — a baseline obligation under Law 25 and the Act respecting access.
  • You need to structure your processes (incidents, access requests, consent, retention, PIAs).
  • You want concrete, proportionate measures — not a theoretical document.
  • You have experienced an incident, received an access request without a process in place, or lost a tender due to documented compliance gaps.
  • You have systems in the cloud (M365, AWS, GCP, various SaaS) and don't know exactly where your personal information is or who actually has access to it.

What will you receive?

Checkbox icon

Map of personal information across your systems.

Checkbox icon

Option: annual compliance maintenance — mapping review, process and retention policy updates, incident register verification, awareness plan renewal, and engagement report update. Law 25 compliance is not a one-time project: systems change, practices evolve, CAI guidelines are refined. This maintenance component is available as a separate recurring engagement.

Checkbox icon

Personal information retention and destruction policy — approved document setting retention periods by category of personal information and secure destruction methods. Distinct from the mapping: where the mapping describes current retention, the policy formalizes and makes it binding. Approved by management, reviewed at minimum every two years.

Checkbox icon

Documented processes (incidents, access requests, consent, retention, PIAs).

Checkbox icon

Privacy officer (PPO) charter: document formalizing the mandate, responsibilities, authority, allocated resources, and reporting line of the PPO to management. A PPO without an approved charter is nominal — without real authority to enforce compliance measures.

Checkbox icon

Protection measures proportionate to your size.

Checkbox icon

Operational privacy incident register — structure, documented template, and detection, classification, and escalation process. Includes criteria for determining which incidents trigger notification obligations to the CAI and to the individuals concerned.

Checkbox icon

Identification of obligations toward third parties that process personal information on your behalf — Law 25 imposes contractual obligations toward these third parties.

Checkbox icon

Personal information management practices document (PGVRP): description of collection purposes, protection measures in place, processing processes, and individual rights — a TI document that serves as the factual basis for drafting the privacy policy by the partner lawyer. Maintainable and updated with each system or practice change.

Checkbox icon

Privacy notice template: model of the notice the organization must communicate to individuals at the point of collection of their personal information — forms, emails, website, contracts. The L.P.R.P.S.P. requires that collection purposes be communicated clearly and before or at the time of collection. This template is adapted to the organization's various collection points and submitted to the partner lawyer for legal validation.

Checkbox icon

Coordination with the legal component: Factero works with a partner lawyer specializing in personal information protection to cover legal obligations. The partner lawyer handles drafting of privacy policies based on the IT deliverables produced by Factero — mapping, processes, third-party inventory. They can also provide legal opinions and represent the organization before the CAI if needed. You can retain this lawyer directly, or work with your own legal counsel.

Checkbox icon

Employee awareness plan: content, frequency, and format of training on L.P.R.P.S.P. obligations and the organization's practices — including rules for handling personal information, incident procedures, and individual rights. An untrained employee is a risk vector not covered by documentary compliance.

Checkbox icon

Engagement report: summary of findings, identified gaps, measures implemented, and outstanding actions — delivered to the PPO and management. Serves as evidence of reasonable diligence in the event of a CAI investigation or litigation.

Not a good fit?

  • This service covers the IT and governance component of Law 25 — not the legal component. If your primary need is a legal opinion, a review of your privacy policies, or representation before the Commission d'accès à l'information, this mandate alone will not be sufficient. That's not a barrier: Factero works with a partner lawyer specializing in personal information protection who can cover the legal component in parallel — or integrate with your own legal counsel if you already have one. But if you're looking solely for legal advice without an IT component, a lawyer alone will be better suited to your situation.

How does the process work?

A rigorous and transparent approach, step by step.
Scoping
Where personal information lives, who has access to it, and in what context. This work is done with your IT team and your Privacy Officer (PRP) — they're at the center of the process, not on the periphery.
Processes
Incidents, access requests, consent, retention, privacy impact assessments (PIA) and portability of personal information. We structure the operational processes for each of these obligations.
Concrete measures
Concrete and proportionate protection measures tailored to your reality and size. Includes obligations toward any third party that processes personal information on your behalf — Law 25 requires that your agreements reflect these obligations. We make sure they do.
Governance
PPO charter, employee awareness plan, and final engagement report. Documentary compliance only holds if someone has the authority, tools, and training to maintain it. We formalize governance — not just processes.

Frequently Asked Questions

Answers to the questions our clients ask before reaching out.
Our IT providers (MSP, host, etc.) process personal information. What does that mean under Law 25?
Law 25 imposes contractual obligations on you toward any third party that processes personal information on your behalf. This includes your MSP, host, SaaS software, and cloud platforms. Your contracts must include clauses covering confidentiality, security, incident notification, destruction of personal information at the end of the contract, and an audit right for high-risk third parties (art. 18.3 L.P.R.P.S.P. — to be validated with your legal counsel for the current version). This is often an overlooked area in compliance programs. Factero audits your existing agreements and helps you bring them into compliance. If your current contracts don't contain these clauses, you're non-compliant even if your internal systems are well structured.
We've already named a Privacy Officer (RPP). Is that enough?
Naming a Privacy Officer is a good start, but it's not sufficient on its own. The PPO needs the tools to do their job: data mapping, documented processes (incidents, access requests, consent), reasonable security measures, and a formal charter that gives them the necessary authority. Factero helps put this complete operational infrastructure in place — not just name someone to the role. Important reminder: if no PPO is formally designated, the person with the highest authority within the organization is considered the PPO by default — and their identity must be published on the organization's website (art. 3.1 L.P.R.P.S.P. — to be validated with your legal counsel). This obligation is frequently overlooked. Factero's approach draws on Law 25 requirements cross-referenced with NIST-CSF and ISO 27001 best practices for protective measures.
What are the penalties for non-compliance?
Law 25 distinguishes between two types of sanctions. Administrative monetary penalties are imposed directly by the CAI — they can reach $10 million or 2% of worldwide turnover for the previous fiscal year, whichever is higher. Penal sanctions involve proceedings before the courts — they target intentional or seriously negligent violations, and can reach $25 million or 4% of worldwide turnover. The Commission d'accès à l'information is progressively enforcing the new provisions — with a pedagogical approach toward good-faith organizations. A documented, proportionate compliance process remains the best protection. Individuals can also file a complaint with the CAI if their rights are not respected — this recourse is free and accessible, this recourse is free and accessible — one more reason to structure compliance proactively.
What approach do you use for compliance?
Factero draws on Law 25 requirements and CAI guidelines, cross-referenced with information security best practices — including NIST-CSF and ISO 27001 for protective measures. The goal is compliance proportionate to your size and actual risks, not a checkbox list. The principal associate holds the CISA certification (Certified Information Systems Auditor) — ISACA. For public bodies, the approach takes into account the requirements of the Act respecting access to documents held by public bodies and the protection of personal information, which applies to public bodies in lieu of the private sector Act. Factero holds professional liability insurance for all IT governance and compliance advisory mandates.
Are you required to maintain a privacy incident register?
Yes — Law 25 requires every organization to maintain a privacy incident register (art. 3.5 L.P.R.P.S.P. — to be validated with your legal counsel for the current version). A privacy incident under Law 25 includes any unauthorized access, use, or disclosure of personal information, as well as any loss of information that could allow such access. This register must document all such incidents, whether or not reported to the CAI. Incidents presenting a serious risk of harm must be reported to the CAI and to the individuals concerned — this is the key criterion for determining the notification obligation. This register must be made available to the CAI upon request. An organization that does not maintain it is non-compliant, even if it has never experienced a major incident. Factero helps set up the register, detection and documentation processes, and the criteria for determining which incidents trigger the notification obligation.
What is a PIA and when is it mandatory?
A PIA (privacy impact assessment) is a structured analysis of the privacy risks that a project or system poses to individuals. Law 25 enshrines the principle of privacy by design and makes the PIA mandatory for any project presenting a privacy risk — notably when acquiring new software, making a significant system change, undertaking a development project, or communicating personal information outside Quebec. In the latter case, a written agreement with the recipient is also required, confirming an adequate level of protection for the information communicated. It is one of the least known — and most costly if ignored — obligations. An organization that deploys a system without a prior PIA is non-compliant from the start. Factero helps you integrate the PIA into your IT project management processes — not as a barrier, but as a structured step that protects the organization and documents the decisions made.
What happens if an individual requests the destruction of their personal information?
Law 25 recognizes two distinct rights: the right to withdraw consent and the right to request the destruction of personal information. These rights can be exercised separately and have different effects — withdrawing consent does not automatically trigger an obligation to destroy if the organization has another legal basis for retaining the information (contract, legal obligation, ongoing litigation, etc.). If destruction is required but impossible, anonymization is a recognized alternative. The organization must respond within a reasonable timeframe and document the actions taken. CAI guidelines suggest 30 days as best practice. It must be able to justify retaining the information if it refuses the request. Factero helps you put this process in place — receiving requests, processing timelines, documenting decisions, and coordinating with the legal side if the request raises complex questions.
Can an individual request access to the personal information you hold about them?
Yes — Law 25 gives any individual the right to access the personal information an organization holds about them, and to request correction if information is inaccurate, incomplete, or ambiguous. The organization must respond in writing within a reasonable timeframe — CAI guidelines suggest 30 days. It must also indicate the information held, its use, and the third parties to whom it was communicated. Refusing an access request without legitimate grounds is a violation of Law 25. Recognized grounds for refusal are limited — for example, if disclosure would infringe on a third party's privacy or compromise an ongoing investigation. Factero helps you put in place the process for receiving and handling access and correction requests — timelines, forms, documentation, and escalation to the legal side if needed.
How long does a Law 25 compliance engagement take?
Duration depends on the size of the organization, number of systems, and current maturity level in personal information protection. As a reference: — SME under 25 employees, few systems: 3 to 5 weeks. — SME with 25 to 100 employees, multiple systems: 6 to 10 weeks. — Public body or more complex organization: 10 to 16 weeks. These ranges cover all standard engagement deliverables — mapping, processes, gap analysis, incident register, third-party inventory, PPO charter, practices document, notice template, and engagement report. The legal component (privacy policy drafted by the partner lawyer) runs in parallel and does not extend the overall timeline. A 60-minute scoping call with Factero is enough to establish a precise estimate for your organization.
What is the workload expected from our team during the engagement?
The approach is designed to minimize the workload on your side — you won't be handed a 200-line questionnaire to complete on your own. In practice, the engagement requires: — 2 to 3 working sessions with the PPO and key system owners (1–2 hours each). — A review of contracts with your main third parties (read access, no manual transcription on your part). — Periodic validations on the mapping and processes produced (30–60 minutes per deliverable). The bulk of the work — structuring, drafting, gap analysis, template production — is done by Factero. You validate, approve, and take ownership. For a PPO managing another role in parallel, the total workload is generally 6 to 12 hours spread over the engagement duration.
Our organization is subject to the Act respecting Access to documents — how does your approach differ?
Quebec public bodies are subject to the Access Act, not the L.P.R.P.S.P. — municipalities, RCMs, school boards, health institutions, and government agencies. Both laws were amended under the Law 25 reform, but their obligations, timelines, and sanctions differ. Our approach for public bodies accounts for: — Specific obligations under the Access Act (document access, personal information protection, access coordinator). — The Quebec government's information governance framework (CGIQ) and applicable Treasury Board Secretariat directives. — Accountability requirements to elected officials, municipal council, or audit committee. — The distinct sanctions regime applicable to public bodies. The engagement produces the same types of deliverables — mapping, processes, register, training — but calibrated for the legal and institutional framework of public bodies. Factero is registered with SEAO for IT governance advisory mandates.
What does the engagement exactly cover — and what doesn't it cover?
The engagement covers the entire IT and governance component of Law 25 compliance: personal information mapping, operational processes, gap analysis, incident register, third-party inventory, PPO charter, management practices document, privacy notice template, awareness plan, and engagement report. What the engagement does not cover: — Drafting the final privacy policy: that is the partner lawyer's role, based on Factero's IT deliverables. — Formal legal opinions and CAI representation: the partner lawyer covers these. — Technical implementation of recommended measures (e.g., encryption deployment, system reconfiguration): Factero documents and recommends; your IT team or suppliers implement. This clear delineation protects your organization: each component is handled by the appropriate professional.
Our advice is 100% neutral and independent. See our Charter of Independence.

Related services

IT Audit Human Resources HR Compliance and IT Policies See more

Need to move forward on this?

Let's discuss your specific situation. No commitment, just expert advice.
Talk to an expert