Certain amendments to Québec’s Act respecting the protection of personal information in the private sector, introduced by Bill 64, will come into force on September 22, 2022. A draft Regulation specifying the requirements of these new provisions was published on June 29, 2022, subject to 45 days of consultation, to come into force on September 22, 2022.
These new provisions, inspired by the European Data Protection Regulation (GDPR), could lead to multimillion dollar fines and apply to any organization or person, established in Québec or not, that carries out an economic activity, whether commercial or not, aimed at the production or realization of goods, their administration or sale, or the provision of services. Here is a checklist for organizations to prepare to be compliant by September 22:
1. On governance:
- The person exercising the highest authority in the organization becomes the person in charge of ensuring implementation and compliance with the Act – is this person ready to take this on?
- If not, has a delegate been designated to take on all or part of the function?
- If so, is the delegation in writing?
- Is the delegate’s contact information ready to be posted on the website, or made public in some other way?
2. On breach response:
- Has a breach response plan been adopted creating a clear process to, promptly:
- Determine whether a breach of personal information has occurred?
- Identify and take reasonable measures to reduce the risk of injury and prevent new breaches?
- Assess whether the breach presents a risk of serious injury?
- Has a process been set up to:…
EU confirms PIPEDA’s adequacy status under the GDPR
In a Report issued two weeks ago,[1] the European Commission advised that i…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
