Since September 2023, Quebec's Law 25 on SMEs has imposed concrete obligations on all businesses that collect personal information. However, many SMEs in Trois-Rivières and the Mauricie region are still unsure if they are compliant. Fines can reach $25 million or 4% of global revenue. That's why acting now remains the best course of action.
At OKTO Solutions, we help Quebec SMEs understand their obligations and implement the necessary technical measures. In this guide, we first explain what the law specifically requires. Then, we detail the 7 steps to achieve compliance. Finally, we specify how Microsoft 365 technology simplifies this process.
Quick answer: Quebec's Bill 25 requires SMEs to protect personal information: appoint a data protection officer, obtain clear consent, secure data, and report incidents. Fines can reach $25 million.
1. What is Quebec's Law 25 PME and who is it aimed at?
Law 25 PME, officially the Act to modernize legislative provisions concerning the protection of personal information, replaces the former law on the protection of personal information in the private sector. It applies to any business that collects, uses, discloses, or retains personal information about individuals, whether they are customers, employees, or suppliers.
In other words, if your SME maintains a customer list, employee records, or an online contact form, the law directly affects you. However, the obligations vary depending on the size of your organization and the type of data you process.
September 2022: first individual rights in force
September 2023: mandatory governance, incident and privacy impact assessments
September 2024: portability and deindexing rights in force
Fines: up to $25 million or 4% of global revenue for serious violations.
2. The 5 main obligations of Law 25 for your SME
Law 25 on SMEs introduces several concrete obligations. Here are the five most important for an SME in the Mauricie region.
1. Appoint a privacy officer
Every company must designate a person responsible for ensuring compliance. Furthermore, this person's name and contact details must be published on your website. In an SME, this role is often filled by the owner or a human resources manager.
2. Inventory your personal information
You must know exactly what information you collect, where it is stored, who has access to it, and how long you retain it. Therefore, a personal information register becomes mandatory. This is the foundation of compliance with Quebec's Bill 25 PME.
3. Report privacy incidents
If your data is compromised, lost, or accessed without authorization, you are obligated to assess the risk and report it to the Commission d'accès à l'information (CAI) of Quebec. Therefore, an incident management plan becomes essential. Our article on disaster recovery plans for SMEs covers this aspect in detail.
4. Obtain explicit consent
The collection of personal information must be based on clear and specific consent. Vague forms or pre-checked boxes are no longer acceptable. You must explain why you are collecting each piece of information and obtain informed consent.
5. Conduct a privacy impact assessment (PIA)
Before undertaking any new project involving personal information, your SME must assess the privacy risks. This includes, in particular, adopting new software, implementing a CRM system, or launching an email marketing campaign.
3. Quebec SME Law 25: The 7 steps to achieve compliance
Compliance with Quebec's Bill 25 for SMEs is not a one-time project. It's an ongoing process. However, here are seven concrete steps to get started effectively.
Step 1: Design your manager
First, choose the person responsible for compliance in your organization. Then publish their name on your website, ideally in your privacy policy.
Step 2: Take inventory of your data
List all sources of personal information: web forms, CRM software, HR files, customer lists, emails. For each source, document the type of data, its location, its retention period, and authorized access.
Step 3: Update your privacy policy
Your policy must now include individuals' rights, a list of the information collected, the purposes of the collection, and the contact information of the person responsible. Furthermore, it must be written in clear and accessible language.
Step 4: Secure your computer systems
Law 25 for SMEs requires security measures proportionate to the sensitivity of the data. This includes data encryption, role-based access control, multi-factor authentication, and regular backups. This is where OKTO Solutions can provide concrete assistance. Indeed, Microsoft 365 natively includes several of these tools.
Step 5: Establish an incident management process
Define who does what if an incident occurs. In particular, specify the reporting deadline (within 72 hours for serious cases), the people to contact, and how to document the incident.
Step 6: Train your employees
Your employees are your first line of defense. Therefore, training on handling personal information, recognizing phishing attempts, and incident procedures is essential. Consult our guide on AI cyberattacks targeting SMEs in 2026 to understand the current risks.
Step 7: Review and update regularly
Compliance with Quebec's SME Act 25 is not a one-time project. Rather, it's an ongoing practice. Review your register and measures at least once a year, or whenever there's a significant change in your operations.
4. How Microsoft 365 helps your SME comply with Law 25
The good news is that several Microsoft 365 tools directly meet the requirements of Quebec's Bill 25 PME. Therefore, if your SME already uses the Microsoft suite, you likely already have access to compliance features that you are not yet using.
- Microsoft Purview: classification and protection of sensitive data, data loss prevention (DLP) and monitoring of access to personal information.
- Azure Active Directory: granular access management, multi-factor authentication, and audit logs to demonstrate who has access to what.
- Microsoft Defender: detection of security incidents and automatic alerts in case of abnormal access to personal data.
- Data retention policy: automatic deletion of data after its defined retention period, which reduces your exposure.
To learn more about these tools, consult the official Microsoft documentation on information protection and the resources of the Quebec Access to Information Commission.
Frequently Asked Questions about Quebec's Bill 25 SMEs
My business is small. Does Quebec's SME Law 25 still apply?
Yes. The law applies to any business that collects personal information, regardless of its size. However, the obligations are proportional. A small business with 5 employees has fewer obligations than a company with 200 people, but the basic principles remain the same.
What are the penalties for non-compliance?
The Access to Information Commission can impose administrative fines of up to $10 million. In addition, the court can impose criminal fines of up to $25 million or 4% of global revenue for serious violations.
Where do we start if we haven't done anything yet?
Start by taking inventory of your data and designating a data manager. These are the two most important steps. Then, contact OKTO Solutions for an audit of your IT environment. We will assess your current technical measures and propose an action plan tailored to your specific needs as an SME in the Mauricie region.
OKTO Solutions supports you in complying with Law 25
Compliance with Quebec's Bill 25 for SMEs may seem complex. However, with the right technology partner, it becomes a structured and accessible process. At OKTO Solutions, we assess your environment, identify gaps, and implement the necessary technical measures in Microsoft 365 and beyond.
Contact our team for a free evaluation of your Law 25 compliance, or discover our cybersecurity and compliance services for SMEs in Quebec.