Inspired by the European data protection model, Bill 64 introduced new amendments to Quebec’s Act respecting the protection of personal information in the private sector. The entry into force of the set of new obligations outlined in the adopted bill was distributed over three years, starting on September 22, 2022.

Hitachi Systems Security experts already provided Practical Insights On How To Choose A Privacy Officer Or Data Protection Officer, one of the new obligations scheduled for this first set of changes. As part of the sequence of obligations foreseen for September 2022, the organizations will also have to implement enhanced data breach response mechanisms.

Our experts prepared the following list with four major actions to support compliance with this new requirement.

1. Implementing specific and clear internal procedures.

For the effectiveness of any privacy and data protection measures, organizations need to have clear and specific procedures in place according to the applicable legal requirements. In the case of personal data breaches implicating Quebec jurisdiction, one of the first elements that should be included in these procedures is how to assess whether a data breach presents a risk of serious injury. It is crucial to be able to identify it as soon as possible because if the breach presents a risk of serious injury, the organization must notify the Commission d’accès à l’information  (CAI) as well as those who had their personal information breached without delay, as will be presented further in this list.

Therefore, these procedures (or procedure) should at least clarify how to register the data breaches, how the response plan should be put in place to mitigate the risk of injury, and how to proceed in case of a request from CAI regarding incidents or data breaches involving personal data.

2. Adopting (or updating) an Incident Response Plan.

Organizations should implement a clear Incident Response Plan to determine whether an incident or a breach of personal information has occurred and appoint reasonable measures to reduce the risk of injury and prevent similar events. This document guides the teams on how to proceed in the event of a data breach or if suspected. Even though it is recommended to handle data breaches in a case-by-case basis, this document will provide an appropriate course of action for time-sensitive decisions and endeavors to control the risks and damage.

3. Notifying the Commission d’accès à l’information(CAI), as appropriate.

Following the legal provisions and those described in the procedures and Incident Response Plan, the organization must be ready not only to respond to the CAI when asked, but also to notify them in case of a data breach – as well as the persons who had their personal information impacted. This notification shall be sent in writing and provide a broad range of information related to the breach, such as (i) organization’s name or the Québec business number, (ii) name and contact of a person responsible to discuss the matters related to the event, and (iii) the measures taken or intended to be taken by the organization after the event, among other information.

Organizations also need to be aware that in certain situations they can give a public notice, for example when the contact information for the person concerned is unknown or when sending an individual notice is likely to cause undue hardship for the organization. These exceptions and others should be properly documented.

4. Establishing an Incident/Data Breach Registry.

Organizations must document the data breach that have occurred. This document is commonly known as Incident or Data Breach Registry (or record) and usually states, at least:

• a description of the personal data implicated.
• a brief description of the incident (date/time, how, who, when, where, why – any information available).
• the moment when the organization became aware of the breach or incident.
• how many persons and/or data was affected by the incident/breach (even if it is an approximate number).
• the existence (or not) of risk of serious injury to the persons concerned and how the organization reached this conclusion.
• If applicable, when the appropriate notifications of the incident/breach were transmitted to the CAI or affected persons (or public notices as appropriate).
• the measures implemented by the organization to control and/or mitigate the risks of injury.

When any of the above information is not identified or identifiable, you must document this as well, in order to justify the absence of such information in the Record.

Each of these measures has several steps to reach an acceptable level of compliance with the new legislation. Accordingly, each one of them requires time and resources availability (which can be internal or outsourced, for example, using the services provided by Hitachi Systems Security).

For this reason, although the implementation of this reform in Quebec will be phased from 2022 to 2024, organizations need to start their compliance processes immediately in order not to miss the deadline and be subject to severe penalties. If your company fails to comply with the new requirements, it will be exposed to significant consequences, including severe fines and all the negative outcomes coming from reputational damage.

Therefore, it is so important not only to know the new legal requirements, but above all to put them into practice, which can be done with the help of the expertise of those who have been in the field of data protection and cybersecurity for years.

Click here to schedule a free call with our Data Protection Experts. They will help you better understand the obligations applicable to your organization and the best way to approach the new requirements in your case.