Back to articles

Quebec's Law 25 for SMBs: Where to Start (Step-by-Step Guide)

  Not sure where to start with Law 25? A practical 7-step guide to bring your small business into compliance, without a big IT team or an oversized budget.

Quebec Law 25 compliance for small businesses

To bring an SMB into compliance with Quebec's Law 25, start with three actions: appoint a privacy officer, build an inventory of the personal data you hold, then publish a privacy policy and an incident-handling process. Compliance isn't a multi-month project: the essential foundations can be laid in a few weeks.

Key points

  • Law 25 applies to ANY Quebec business that holds personal information, regardless of size or industry.
  • Three pillars: a designated officer, transparency (policy + clear consent) and an incident-response plan.
  • Start with a data inventory — it unlocks every other step.

Does Law 25 really apply to my small business?

Yes. Contrary to popular belief, Law 25 (the act modernizing legislative provisions on the protection of personal information) is not just for large enterprises. As soon as a Quebec organization collects, uses or stores personal information — about customers, employees or prospects — it is subject to the law. An online shop, a clinic, an accounting firm or a 10-person manufacturer are all concerned.

The obligations came into force in phases (September 2022, 2023 and 2024). Today the full regime applies, including the right to data portability and the duty to be transparent about automated decisions.

You are almost certainly concerned if you manage:

  • a customer base (emails, addresses, purchase history);
  • employee records (payroll, HR, contact details);
  • a website with a contact form, newsletter or online payment;
  • health, financial or biometric data.

The 7 steps to get started

Here is the sequence we recommend to the SMBs we support. It is deliberately pragmatic: each step produces a concrete deliverable.

  • Appoint a privacy officer (by default, the person with the highest authority) and publish their title and contact details.
  • Map your data: what information you hold, where it is stored, who can access it, how long you keep it.
  • Write or update a clear, accessible privacy policy and publish it on your website.
  • Review consent: it must be free, informed and given for specific purposes (no more pre-ticked boxes).
  • Set up a register and a protocol for confidentiality incidents (who to notify, how, within what timeframe).
  • Frame your vendors and processors with contractual data-protection clauses.
  • Secure the data technically: encryption, access control, backups, logging.

The most common mistakes

Most non-compliance we see does not come from bad intentions, but from avoidable shortcuts.

  • Copy-pasting a privacy policy found online that does not reflect actual practices.
  • Forgetting employee data, often overlooked in favour of customer data only.
  • Keeping data "just in case", with no retention period or justification — a major risk.
  • Having no incident plan: Law 25 requires fast reaction and documentation.

How long does it take and how much does it cost?

For a typical SMB, laying the foundations (steps 1 to 5) usually takes 3 to 6 weeks. Technical security (steps 6 and 7) depends on your existing infrastructure.

Cost varies with your maturity: a well-equipped SMB may only need targeted guidance, while an organization handling sensitive data should invest in a full audit and remediation. The key is to start: compliance is an ongoing process, not a one-time certificate.

Frequently asked questions

Does Law 25 apply to small businesses?

Yes. Law 25 applies to any business operating in Quebec that holds personal information, regardless of size. A sole proprietorship or a small SMB is subject to it just like a large organization.

Am I required to appoint a privacy officer?

Yes, it is mandatory. By default the responsibility falls to the person with the highest authority in the business, but it can be delegated in writing. The officer’s title and contact details must be published (usually on your website).

What are the penalties for non-compliance with Law 25?

Penalties can be severe: administrative fines up to CA$10M or 2% of worldwide turnover, and penal sanctions up to CA$25M or 4% of turnover. Beyond fines, the reputational risk is often the most costly for an SMB.

What is the difference between Law 25 and the GDPR?

Law 25 is the Quebec law, the GDPR is the European regulation. The principles largely overlap (transparency, consent, individual rights), but definitions, deadlines and formalities differ. A business active in both Quebec and Europe must comply with both.

How long does it take to become compliant?

The essential foundations (officer, data inventory, policy, consent, incident plan) can be set up in 3 to 6 weeks for a typical SMB. Compliance then remains an ongoing process to maintain.

Key takeaway

Don't aim for perfect compliance on the first try: focus first on the foundations (officer, inventory, policy, consent, incident plan). At Codally, we support Quebec SMBs across the whole journey, from diagnosis to technical data security.

Go further

Oussama El Figha

Oussama El Figha

Cybersecurity Expert

Oussama is a cybersecurity expert at Codally. He helps SMBs with security audits, data protection and incident response — from compliance (Law 25, GDPR) to operational resilience.

April 15, 2025 · 9 min read

Need support?

Codally can help you integrate these solutions into your business.

Our servicesContact us
Logo de l'entreprise Codally

Codally – Your trusted partner in software development, artificial intelligence, and digital solutions in Montreal, Quebec, and Canada. We help businesses, SMEs, and institutions innovate, reduce costs, and improve performance through tailored technology solutions.

Main Pages

About Us

Useful information

© 2024 Codally Rights Reserved.