Protection of personal information and Bill 64: 6 good reasons to begin compliance efforts immediately

The Act to modernize legislative provisions as regards the protection of personal information (known as “Bill 64”) has just been adopted by the Québec National Assembly, with effective dates staggered up to 2023. It may appear tempting to wait. However, the European experience with the GDPR encourages organizations to take advantage of the gradual application of the Act.

Getting started right now, even though Bill 64 on personal information (PI) hasn’t been fully enforced yet. This is probably one of the most important factors contributed by the European experience: companies have every interest in launching the resulting initiatives as soon as possible. Being proactive on the issue means understanding and anticipating the risks of fines, benefiting from this opportunity to strengthen its corporate reputation, and avoiding the eventual postponement of projects, particularly those related to personal information. Taking the lead therefore offers many advantages. Here are six good reasons to begin the compliance efforts immediately.

• Reason #1: Strengthen agility to carry out PI-related projects

As we pointed out in our previous blog, Québec companies have every interest in drawing on the rapid gains observed by European companies.

In other words, companies could already map the nature of the processes related to personal information in their information systems to identify the vulnerabilities, of course, but also the redundancies, approximations, sources of errors and, more generally, everything that causes a loss of efficiency.

There will be tangible gains from conducting such mapping as soon as possible. Indeed, this initiative will allow companies to acquire knowledge of their data, which currently may be missing or incomplete. Once the Act is completely in force, this knowledge will be indispensable to stay agile enough to maximize the chances of success of projects involving personal data. Failing this, these projects could suffer from major delays related to non-compliance.

• Reason #2: Anticipate a possible shortage of competencies

This is one of the lessons learned by European companies confronted with the GDPR deadlines: waiting too long means taking the risk of being confronted with a shortage of competencies required to support the changes induced by Bill 64. We are not only referring to legal competencies for support in the interpretation of the texts, updating of all contracts (sale, hiring, purchase, etc.), but also those necessary to support the multiple initiatives.

In France, several months before the GDPR took effect, companies were already having major difficulties mobilizing resources to support them.

• Reason #3: Take advantage of new definitions of data protection

While the GDPR developed the concept of “pseudonymization”, Bill 64 seeks to introduce the concept of “depersonalization”. Information is considered “depersonalized” once it does not allow a person to be reidentified directly. “Anonymization” is viewed as an alternative to destruction, because it must no longer be possible to attach anonymized information to a person.

Based on the consents collected and the end uses, companies therefore must clearly decide on the information to be depersonalized or anonymized. Above all, they must ensure that the solutions implemented for depersonalization or anonymization are reliable. Failing this, all the projects using such data could suffer.

•  Reason #4: Be equipped to deal with current and future threats

Bill 64 is being adopted in a period when cyber threats are multiplying. In particular, ransomware attacks encrypt data and take it hostage to sell it back. Penalties and obligations of transparency increase the risks for a company’s corporate reputation both in case of a breach and of a security incident.

It is therefore essential to question the security measures in place: is the antivirus software up to date? Are patches applied to the systems? Are blacklists established (both for sites and for email senders)? Is the number of high-privilege accounts limited? Are the activity recovery and data restoration plans ready and tested regularly? These questions deserve a security maturity diagnosis.

•  Reason #5: Integrate the new risks related to personal information

Even if it is possible that companies will be granted a certain probation period, the potential consequences, whether penal or administrative, must not be forgotten.

It would be in the organizations’ interest to extend the scope of their risk management and make regulatory observance a full-status compliance project. Waiting for full implementation of the text to integrate the management of these risks means exposure to delays in application and thus risks of fines. However, beyond the financial risks, there is an opportunity for organizations.

• Reason #6: Strengthen the corporate reputation

As described above, the regulations governing personal information are an opportunity to strengthen the security of the personal data in the company’s possession. The purpose of compliance is to avoid unlawful collection of personal information and limit the risk of data leaks. This is a real opportunity for organizations to reassure customers and the public about the way they process their data, leading to some digital confidence and contributing to their good image.

We must recognize that compliance with Bill 64 will require time and investment. But hitching onto it now and launching the personal information initiatives means taking advantage of the regulations, benefitting from improvement of internal processes and potentially creating a significant competitive advantage as a trailblazer. 
It is important to note that we are not giving legal advice or advice on the legal implications of the GDPR and Bill 64.