All resources

Law 25 checklist for SMBs

Practical checklist for Quebec small businesses — Law 25 obligations in practice.

Use this checklist with your team. This is not legal advice — it's a practical starting guide.

Governance and transparency

  • [ ] Privacy policy published (French first for Quebec audience)
  • [ ] Person responsible for personal information identified
  • [ ] Privacy incident log (even a simple spreadsheet)
  • [ ] Process to handle access / correction requests

Collection and consent

  • [ ] Web forms: clear purpose + consent where required
  • [ ] Data collected limited to what's needed
  • [ ] Retention period documented per data type

Technical security

  • [ ] MFA on email and admin accounts
  • [ ] Tested backups (mail, critical files)
  • [ ] Access revoked when employees leave
  • [ ] Security updates on workstations

Vendors and subprocessors

  • [ ] List of tools storing client/employee data
  • [ ] Cloud vendor policies reviewed
  • [ ] Data location (country/region) documented when possible

Next step

Want an outside review? Request a free assessment — we'll help prioritize actions for your situation.

Ready to review your IT setup?

Request a free assessment — we reply within one business day.

Free IT assessment