The protection of personal information and Bill 64: Leveraging lessons learned from the GDPR

The National Assembly of Quebec has adopted the Act to modernize legislative provisions as regards the protection of personal information (known as “Bill 64”). Regardless of their size, companies in Quebec must now begin gradually complying with the new law, and must be fully compliant by 2023. But where to start? Key insights shared during a webinar we hosted this summer for Quebec leaders as part of our virtual events series Insights Exchange can help shed some light on this topic.

Like its inspiration, the European GDPR (General Data Protection Regulation), Bill 64 will take force gradually. With some obligations in effect as of September 22, 2022, companies will be best served by addressing it immediately. The good news is that since the GDPR has been in effect since May 2018 in Europe, companies have an opportunity to learn valuable lessons that can help them identify the initiatives they should undertake. Some of these best practices were shared during our latest Insights Exchange webinar organized this summer, featuring Walid Cheriaa and Hervé Ysnel, cybersecurity, risk management, and regulatory compliance experts from CGI Business Consulting in Paris.

Both laws have the same objective: encouraging companies to adopt a “Privacy by Design” approach for all of their services and processes. This approach is founded on the concept of personal information, which relates to any information that directly or indirectly (in combination with other data) identifies a person.

Enable a fair collection of data

How consent is obtained is a key principle in managing personal information. Consent must be free, informed, clear, and granted for a specific purpose. As such, organizations must be transparent regarding their purposes for collecting and processing information. The goal of both the GDPR and Bill 64 is to ensure personal information is collected solely for the purposes and objectives of those associated services.

Another similarity between the laws is the penalty for breaches such as illegitimate collection, retention of information beyond agreed deadlines, or even failure to report confidentiality incidents (e.g., hacking). Like the GDPR, Bill 64 includes administrative sanctions as well as potential legal consequences. In other words, managing the risks associated with non-compliance is a separate, equally significant undertaking.

Do not underestimate the preparatory work needed

In addition to Bill 64’s implementation timeline, the risk of penalties should be reason enough to encourage Quebec companies to get the ball rolling and avoid the stress experienced by European companies that waited too long to act between the GDPR’s initial adoption in 2016 and its enforcement in 2018. “Because they delayed, many organizations had to stop data projects and re-prioritize because they were unable to comply with GDPR on time. The two years between 2016 and 2018 were not efficiently used to carry out the preparatory work,” explains Walid Cheriaa, CGI Business Consulting and compliance, risk, and internal control expert in Paris.

Like the GDPR, Quebec’s Bill 64 will be phased in gradually, giving companies time to comply fully by 2023, and it’s essential that companies use this time wisely. Based on lessons learned from Europe, the following actions or projects can be undertaken now:

• Mapping data to identify redundancies and unnecessary data, especially concerning sensitive personal information;
• Logging all operations that handle personal information in a registry to obtain a global view of their movement within the information system and the associated risks;
• Conducting a Privacy Impact Assessment (PIA) for processing sensitive information.

Appoint a Personal Information Manager as soon as possible (before September 22, 2022)

To undertake a reform of this nature, companies will need a Personal Information Manager who will be responsible for ensuring enterprise-wide implementation of and compliance with the law is carried out. This function may require more than one person, depending on an organization’s governance and size.

In France, this function is assumed entirely by the Data Protection Officer (DPO). According to Hervé Ysnel, “this role should not be underestimated. In France, for example, it was sometimes considered a continuation of the Informatics and Liberties Correspondent’s role (CIL), which was a mistake.” In fact, the DPO is responsible for coordinating an organization’s global response in making the concept of “Privacy by Design” a reality, and cannot be limited to a support role. In other words, the DPO is responsible for implementing the protection of personal information.

“The DPO and the legal department are the first intermediaries who should interpret the texts and translate them into a company policy,” explains Walid Cheriaa. “Using this foundation, the IT department can design operational processes. The role of the Chief Data Officer (CDO) is also decisive in understanding the data involved and in mastering the environments in which it is registered. In essence, the DPO (with the legal department), the IT/Security department, and the CDO are the triumvirate that carries out these compliance initiatives.”

Key company departments will also have to be mobilized as work progresses:

• Control functions such as cybersecurity managers, compliance officers, and risk managers;
• Human Resources, especially processes involving sensitive employee data and information;
• Purchasing departments using subcontractors (to include specific obligations in contracts);
• Internal Communications (to ensure employee awareness and training).

Consider Bill 64 as an enterprise-wide initiative

Another lesson learned from Europe: do not underestimate the scale of the work involved. “In some large European groups, we saw entities working separately to manage their individual GDPR compliance. As sanctions apply at the group level, it is essential to adopt a global approach with a coherent and homogeneous strategy that will be developed and applied uniformly throughout all group entities,” recommends Hervé Ysnel, also a CGI Business Consulting expert in Paris on cybersecurity issues and risk management.

"This is a company-wide undertaking, and it must therefore have a high-level sponsor," specifies Hervé Ysnel, and for good reason: beyond the financial risk, the quality of compliance with this future regulation puts the reputation of the entire company at stake. “There is value to be found in this area, too. Companies have every interest in being proactive, in communicating that they are invested in the initiative. Enhancing digital trust creates value,” says Hervé Ysnel.

Regulations such as GDPR and Bill 64 offer an opportunity to further reflect on topics such as data governance and cybersecurity policy. By turning what at first seems like a regulatory constraint into a strategic opportunity, organizations can be inspired to take action to Bill 64. Consequently, we encourage Quebec companies of all sizes to be proactive and to make use of the law’s gradual implementation schedule to start working toward compliance right away.

Please note that we are not providing legal advice, or advice on the legal implications of GDPR and Bill 64.