Law 25: Compliance and Optimization of Our Cybersecurity Practices
In recent history, we have witnessed numerous privacy scandals that have caused significant headaches. In response to this, the government of Quebec has chosen to implement new measures to protect the privacy of Quebecers in the form of Law 25. These measures were adopted and gradually implemented since September 2022 and will come into full effect by September 2024. Here's how nventive is preparing for this and how our experts are strengthening our existing cybersecurity measures.
Incidents such as the data breaches at Desjardins, Equifax, or Cambridge Analytica have generated a popular sense of lack of transparency in the handling of data collected online, due to deficiencies in corporate practices and sometimes deceptive business practices. It became essential to ensure a safer online experience for all users.
Europe initially paved the way in May 2018 with the General Data Protection Regulation (GDPR), and Quebec followed suit with Law 25, aimed at modernizing the Act Respecting the Protection Of Personal Information In the Private Sector dating back to 1994. These new obligations apply to all organizations handling personal data of their users. "They enhance the protection of personal information and hold companies accountable, giving every citizen greater control over the use of their personal data, under the threat of financial penalties," says Christelle Lopez, Product Owner and member of the compliance committee at nventive.
What does this mean for a service-oriented company like nventive?
Our experts are actively working on a wide range of projects for many clients in North America. As a company that provides digital solution development services, the products that result from these projects are operated by our clients and their users. We ensure that the data from each project is securely stored with our clients, as they become the sole owners once the digital solution is launched.
We restrict access to project data (backlogs, business requirements, code, etc.) to individuals with authorized roles. If the data is stored in the cloud, as is often the case, we ensure that the data remains in geographic regions in compliance with current regulations. At all times, the client retains full control, and we take all necessary measures to revoke unnecessary access at the end of the project, ensuring full compliance.
We are required to be well-versed in the new rules of Law 25 to align our own internal practices, but our role with our clients is to guide them in adopting these new measures. We are not the executors of this new law. Instead, we refer them to the appropriate legal services so that each client can establish their own framework in response to these new obligations.
Updating Internal Practices
If this is your first visit to our site, while browsing this article, you may have encountered a pop-up asking for your consent to use browser cookies. Indeed, like any company operating on the web to enhance its communication channels, our marketing team collects and analyzes traffic and actions taken on various pages of the site to provide a better browsing experience and deliver personalized and targeted content.
With your consent, this data is first anonymized and then stored with us, as detailed explicitly in our privacy policy. It also governs the storage of a variety of internal data that must be securely kept on our servers (human resources, finances, sales prospects, etc.).
Therefore, our company policy also underwent a necessary modernization following the implementation of Law 25. Fortunately, our already rigorous processes established by our cybersecurity experts only required minor adjustments to better comply.
Among the new essential elements provided by the law, we had already implemented an up-to-date log of past incidents containing many details over the years, as well as a proven response plan. In addition to the essential cybersecurity controls developed by our experts, the consent request for browser cookies was already active, including clear details about their usage, and Chief Privacy Officer had been designated long ago to oversee data governance.
To further comply, our cybersecurity experts ensured the documentation and transparency of our policies, especially regarding the data collection, storage, destruction, and anonymization processes of personal data. "We needed to, among other things, inquire about the service providers we work with to determine where our external data is stored and what they do with it, ensure that information on the website is easily accessible, and ensure that only specific roles can have privileged access to certain internal data, all while enhancing our policies to the maximum," explains Francis Venne, Chief Privacy Officer at nventive.
Key Takeaways
The first thing to do, no matter where you are in your efforts, is to ensure you obtain the best legal advice so that all measures are put in place and align with your use of personal data from your users. No company is identical, and the advice nventive received is unique to our business practices. Failing to comply or neglecting to do so can result in hefty fines.
By following good legal advice, make sure you understand the journey of your customers' data once consent is obtained, review your cybersecurity measures, and keep them up to date. Protecting your users and ensuring their secure browsing is part of an ongoing process.
Choosing to work with nventive ensures that you are on the right side of the law. Our team understands the ins and outs, and in collaboration with your legal team, we make sure that your digital solution includes the essential features to ensure compliance.
The information displayed on the nventive website is general and provided for informational purposes only. Nothing contained therein is legal advice or counsel. You should consult with a lawyer before relying on any information provided by nventive.