All resources

Law 25 essentials for small businesses

What Quebec's Law 25 means for SMBs — concrete obligations in plain language.

Quebec's Law 25 modernizes personal information protection. For an SMB, the message is simple: if you collect data about clients or employees, you have obligations — and they keep tightening over time.

Here's the essentials, without legal jargon.

Who does it apply to?

Almost any business that:

  • keeps client email, phone, or address in a file ;
  • runs a website with a contact form ;
  • employs people with HR records ;
  • stores invoices or contracts digitally.

If you do business in Quebec, Law 25 applies — regardless of team size.

Core obligations

Privacy policy. Clients and employees should know what data you collect, why, and how long you keep it. On your website, that's the privacy page — French first.

Privacy officer. One designated person in the business (often the owner in an SMB) who answers privacy questions.

Reasonable security. Strong passwords, multi-factor authentication (MFA) on email and admin accounts, role-based access. This isn't optional — it's what "appropriate security measures" means in practice.

If something goes wrong. When personal information is exposed (ransomware, compromised email, stolen laptop), you must assess impact and, depending on severity, notify the Commission d'accès à l'information (CAI) and affected individuals — on tight timelines.

What Law 25 doesn't always require

You don't need $50k software or a full annual audit on day one. You need to start: data inventory, locked-down access, tested backups, and a plan when things go wrong.

For deeper work, a paid Law 25 audit with a written report is an option — useful before growth or a large client contract.

IT and Law 25: the direct link

Your IT provider (or "computer guy") often touches personal data: email, M365 accounts, backups. Your service agreement should cover confidentiality and incident obligations.

At Atlas Numérique, Law 25 awareness is part of how we work — not a marketing add-on. See our Law 25 compliance page for what we offer.

Start this week

  1. Confirm your site has an up-to-date privacy policy (French primary).
  2. Enable MFA on Microsoft 365 — all accounts, especially admins.
  3. List who has access to what (email, shared drives, apps).
  4. Confirm backups work — and test a restore.

Questions? Request a free assessment — we can prioritize HIGH items for your setup.

Ready to review your IT setup?

Request a free assessment — we reply within one business day.

Free IT assessment