Appoint a manager, create registers and forms

by | Nov 11, 2024 | Blog

This blog is part of our Loi 25 series, which aims to help companies achieve compliance.

With the introduction of Bill 25, Quebec companies must now take concrete steps to protect individuals’ personal information. These new requirements are designed to enhance transparency and give citizens more control over their information. As part of our Bill 25 Series, we focus today on three key measures to ensure your company’s compliance:

  1. The creation of a personal information register, to keep track of the data you hold.
  2. The appointment of a Privacy Officer, using, if necessary, a template provided by Mofco to facilitate this process.
  3. The introduction of a request form, enabling individuals to assert their rights to their personal data.
  4. Managing and documenting confidentiality incidents, essential for meeting legal obligations.

These actions are essential if you are to comply with the obligations of Law 25 and strengthen the trust you have built up with your customers and partners.

1. Create a personal information register

Why is a register necessary?

Law 25 requires companies to know and document the personal information they collect, use and retain. A personal information register lets you know what data you hold, where it comes from, its purpose and the security measures in place to protect it.

What should the register contain?

A complete register should include the following elements:

  • Type of personal information: For example, name, address, telephone number, financial data, etc.
  • Data source: Where does it come from? Customers, employees, business partners?
  • Use of data: For what purposes is it used?
  • Methods of protection: The security measures in place to protect this information.
  • Retention period: How long will data be kept before being destroyed or anonymized?

How do you set up this register?

You can use an Excel spreadsheet, data management software, or a specialized compliance platform to create and maintain your register. The important thing is to update it regularly and ensure that it remains accurate and complete. Consider training employees on updating and managing personal information. If you are a Mofco customer, please contact us to receive a copy of the register in Excel format.

2. Designate a Privacy Officer

Why do we need a manager?

The designation of a data controller is a requirement of Law 25. This person will be responsible for ensuring the company’s compliance in terms of personal information protection, answering individuals’ questions about their data, and implementing the necessary security measures.

Who can be nominated?

The Privacy Officer can be a member of management, an employee trained specifically for this role, or even an external expert. By appointing someone who is competent and well-informed about data protection laws and practices, you can ensure better management and protection of personal information.

Use the Mofco template to designate a manager

At Mofco, we’ve designed a document template that makes it easy to appoint a manager. This template enables you to formalize the appointment and detail the responsibilities and powers of this person within the company. By using a clear, well-structured document, you avoid ambiguities and ensure effective communication on this crucial role.

3. Set up a request form for personal information

Why is a form essential?

Law 25 grants individuals several rights over their personal data, such as the right of access, rectification and withdrawal. To simplify the exercise of these rights, it is crucial to set up a dedicated form. This form provides individuals with a clear, structured means of submitting their requests, facilitating your internal management and ensuring a rapid, efficient response.

What should the form contain?

A well-designed application form should include :

  • Applicant’s personal information: Last name, first name, contact details.
  • Type of request: Is this a request for access, rectification or removal of data?
  • Specific details: Specific information that the user wishes to view, modify or delete.
  • Processing instructions: Processing times, documents required (if any) and response procedure.

Tips for creating an effective form

  1. Accessibility: Make sure the form is easily accessible on your website, ideally in a section dedicated to data protection.
  2. Clarity: Use simple, clear language. Avoid legal jargon that could discourage users.
  3. Security: The form must be secure, especially if it collects sensitive personal information. Use HTTPS and restrict access to incoming data.
  4. Transparency about turnaround times: Inform users about how long it will take to process their requests. For example, “We will respond to your request within 30 working days.”

Mofco customers, for a quick and efficient set-up of your personal information request form, please do not hesitate to contact us. We have pre-designed templates that can be quickly adapted to your specific needs, ensuring optimum compliance with Law 25.

4. Manage and document confidentiality incidents

The importance of an incident register

Bill 25 imposes an obligation on companies to report any security incidents involving personal information that could cause serious harm to the individuals concerned. To comply with this requirement, it is essential to keep a register of privacy incidents. This register must contain all relevant information on each incident, so that it can be reported to the appropriate authorities, such as Quebec’s Commission d’accès à l’information (CAI), if necessary.

What the confidentiality incident register must contain

A well-structured incident register should include :

  • Date of incident: The exact moment when the breach occurred or was discovered.
  • Nature of incident: Description of the type of data affected and the method of unauthorized access.
  • Potential impact: The risks and possible consequences for the individuals concerned.
  • Measures taken: Corrective actions taken to contain and rectify the breach.
  • Notifications: Information on parties informed (dates, authorities, individuals affected, etc.).

How Mofco facilitates the management of confidentiality incidents

At Mofco, we understand that managing privacy incidents can be complex and stressful for businesses. That’s why we’ve integrated privacy incident management directly into our support service. For our customers, this means less hassle and simplified compliance.

About the author

Matthieu Moffet, président-fondateur de Mofco, a hissé l’entreprise parmi les 50 meilleures entreprises TI du Canada pour la deuxième année consécutive. Il joue un rôle essentiel dans l’accompagnement des clients, en se concentrant sur les services de cybersécurité et en renforçant leur position sur le marché technologique.

Articles in the same category

Safeguard rule 3-2-1: An essential strategy

Safeguard rule 3-2-1: An essential strategy

The 3-2-1 backup rule is an essential strategy for protecting your company’s data. By diversifying backup copies and leveraging multiple cloud providers, you minimize the risk of data loss. Learn how to apply this rule and why multi-cloud is the key to optimal protection.

The importance of cybersecurity training

The importance of cybersecurity training

In the face of increasingly sophisticated cyber threats, it’s essential for businesses to invest in ongoing cybersecurity training for their employees. This article explores why this training is crucial to protecting data, strengthening business resilience, and avoiding financial loss.

Optimizing Office 365 personal data protection

Optimizing Office 365 personal data protection

Protecting personal data has become essential, especially in a business context with strict legal requirements such as Law 25. Find out how data monitoring software, integrated with Office 365, can make this task easier thanks to artificial intelligence.

Our services

Training

Training

A variety of training courses to boost efficiency Mofco now offers over 20 training courses delivered by certified professionals to improve your efficiency and performance. These new courses have been developed in response to feedback and requests from hundreds of...

Disaster Recovery

Disaster Recovery

Ensure the continuity of your operations Mofco can help companies implement a Disaster Recovery Plan (DRP Plan) using our extensive experience in implementing this type of plan. We understand how important it is to have a disaster recovery plan to ensure business...

Backups

Backups

Your data in security Mofco understands the critical importance of data backup for businesses. We use best practices and the latest technology to ensure complete backup of our customers' data, including data on servers as well as data hosted in Microsoft 365, such as...

Cybersecurity

Cybersecurity

Enterprise cybersecurity: data protection solutions and Act 25 compliance Mofco offers state-of-the-art cybersecurity services, including threat detection and response (MDR), proactive remote management (RMM) and third-party software patching. Our experts provide 24/7 continuous protection to secure your critical networks and data. As compliance specialists, we support companies in their efforts to comply with Bill 25 for the secure management of personal information. Enjoy advanced cybersecurity with Mofco, your partner in data protection.

See all our services