io4 Technologies
Call - 514-447-2851
FrançaisBook a coffee

Compliance

Law 25: the 11-point checklist for Québec SMBs in 2026

Appoint a privacy officer, publish a policy, keep a register, data portability, transfers outside Québec, automated decisions… The practical guide to reaching Law 25 compliance without spending six months on it.

By Jordane Dours 2026-04-15 5 min read

Appoint a privacy officer, publish a policy, keep a register, data portability, transfers outside Québec, automated decisions… The practical guide to reaching Law 25 compliance without spending six months on it.

Why Law 25 still matters in 2026

Québec's Law 25 came into force in three waves: September 2022, September 2023, and September 2024. At this point, any organization that collects or handles personal information in Québec is required to comply. Yet in 2026, most Québec SMBs still aren't there - either because they're unaware of the requirements or because they've been put off by the apparent complexity.

The good news: it doesn't have to take six months. With a clear framework and the right Microsoft tools (Purview, Defender), an SMB can reach defensible compliance in 4 to 8 weeks.

The 11 items to verify in 2026

Here's the checklist we run through every time we do an initial assessment for a new client at io4. If any one of these items isn't in place at your organization, that's where you need to start.

  • Appointment of a privacy officer responsible for the protection of personal information, typically the most senior executive or a member of leadership.
  • A compliant public privacy policy, accessible from your website and reviewed annually.
  • A privacy impact assessment (PIA) carried out systematically for every new project that involves personal information.
  • A privacy incident register, ready to report to the CAI in the event of a breach.
  • A documented procedure for access and rectification requests, with response deadlines that are actually met.
  • Data portability - mandatory since September 22, 2024 for private-sector organizations.
  • A map of your data flows and an assessment of transfers outside Québec (section 17).
  • Management of explicit consent and clearly defined collection purposes.
  • Disclosure of automated decision-making and AI use (section 12.1) - especially relevant with Copilot.
  • A plan to notify the CAI and the individuals concerned in the event of a significant incident.
  • Ongoing team training and awareness (at least once a year).

The real cost of non-compliance

Many business owners underestimate what's at stake. Law 25 penalties fall into three tiers that can stack:

Administrative monetary penalties of up to 10 million dollars or 2% of worldwide revenue, imposed by the CAI without a trial. Criminal penalties of up to 25 million dollars or 4% of worldwide revenue. And since September 2023 (s. 93.1), a private right of civil action: any individual who suffers harm can now sue your organization directly in court, with punitive damages of at least $1,000.

For an SMB, a poorly handled incident can cost hundreds of thousands of dollars - not to mention skyrocketing cyber-insurance premiums and the loss of customer trust.

How Microsoft 365 makes compliance easier

If your stack is Microsoft, you already have the technical tools you need in hand. The catch is configuring them properly.

  • Microsoft Purview for data classification, DLP policies, and governance of personal information.
  • Microsoft Defender for Office 365 and Defender for Endpoint to protect against the kind of incidents that would trigger a CAI notification.
  • Microsoft Entra ID (Conditional Access, MFA, Identity Protection) for secure access management.
  • Microsoft 365 hosted in the Canada Central / Canada East regions for data residency.
  • Centralized, exportable audit logs to demonstrate compliance during a CAI review.

Our 4-to-8-week approach

At io4, we break Law 25 compliance into four phases: gap assessment (weeks 1-2), production of the required documents - policy, registers, PIA templates - (weeks 3-4), Microsoft technical configuration (weeks 5-6), and team training plus an annual audit plan (weeks 7-8).

For professional firms (CPAs, lawyers, notaries, engineers), we typically deliver in 6 to 10 weeks. For public bodies and CIUSSS, plan on 12 to 20 weeks depending on complexity.

Where to start, concretely

If you haven't appointed a privacy officer yet: that's step 1, and it's something to do this week. Without a named privacy officer, you're already in breach of the most basic requirement.

If your privacy officer is in place but you have neither a public policy nor a register, that's step 2. Download our templates or talk to a Law 25 expert.

If you'd like a quick read on where you stand, our online self-assessment takes 10 minutes and gives you a clear score across all 11 items.

Keywords:Law 25 SMBLaw 25 compliance Québecprivacy officerprivacy impact assessmentCAI incident registerLaw 25 data portabilitytransfers outside Québecsection 12.1 automated decisions

Want to talk it through?

Let's spend 30 minutes on your situation.

A free assessment with an io4 architect. No commitment, no sales script.

Book my assessment

Read next

Related articles.

IT Strategy

The July 1, 2026 Microsoft 365 price increase: what to do before you renew

Read

AI & Copilot

Microsoft 365 Copilot for SMBs: 4 quick-ROI use cases in 2026

Read

Modern Work

Microsoft 365 tenant-to-tenant migration: method and lessons learned

Read
Let's talk about your project

30 minutes to frame what matters.

A direct conversation with one of our experts. No commitment, no sales pitch. You leave with a clear, reasoned perspective on your situation.

Let's grab a coffeeDiscover io4 360
Or call us directly:514-447-2851