Appointed officer
Appointment and training of the person responsible for personal information protection, with published contact details.
Case study · Compliance
An insurance brokerage gets right with Quebec’s Law 25
An insurance broker handles, by nature, a mountain of sensitive personal information. This brokerage knew Law 25 applied to them, but not where to begin. We guided them end to end: mapping the data, closing the gaps, equipping governance and training the teams — without unnecessary legal jargon.
100%of Law 25 obligations covered
14 wksfrom mapping to compliance
1,200+client files secured
6policies and procedures deployed
At a glance
- Client
- Confidential
- Industry
- Financial services · Insurance brokerage
- Region
- Laval, Quebec
- Context
- 40 employees, highly sensitive data
- Services
- Law 25 compliance · Data governance · Training
- Duration
- ≈ 14 weeks
A legal obligation, plenty of uncertainty
Since September 2023, Law 25 has imposed strict obligations on any Quebec business that holds personal information. For a 40-person firm with no dedicated legal or IT department, the risk was twofold: penalties and loss of client trust.
- No mapping of the personal information held nor of its lifecycle.
- No appointed person responsible for the protection of personal information.
- Privacy and retention policies missing or outdated.
- No defined process in case of a confidentiality incident.
The obligations, one by one
Rather than a theoretical audit, we translated Law 25 into a list of concrete obligations, then worked through each until we could check it off.
Data mapping
Inventory of the personal information collected, its purposes, retention periods and location.
Policies & consent
A clear privacy policy, consent and withdrawal mechanisms, notices at the point of collection.
Incident register
A confidentiality-incident management procedure, register and obligation to notify the CAI.
Privacy assessments
A privacy impact assessment framework for new projects and vendors.
Individual rights
A process to respond to access, rectification and de-indexing requests within the deadlines.
Governance that lasts
Compliance is not a one-off project but a state to maintain. We left the firm with the tools to stay compliant without us.
- Equipped officer
The officer has templates, a review calendar and a single point of contact for clients.
- Living register
The information and incident register is designed to be easily kept up to date by the team.
- Vendor contracts
Data-protection clauses added to agreements with subcontractors and cloud providers.
- Trained teams
All staff sensitized to the right reflexes: minimal collection, phishing, reporting.
Compliant, and able to stay that way
The firm didn’t just tick boxes: it built a data-protection culture that reassures its clients and partner insurers.
100%of Law 25 obligations covered
14 wksfrom mapping to compliance
6policies and procedures deployed
72 hincident-notification window, now operationalized
Before / after
| Item | Before | After |
|---|---|---|
| Appointed officer | None | Named and trained |
| Data mapping | Non-existent | Complete and current |
| Incident handling | Improvised | Procedure + register |
| Client consent | Implicit | Explicit and traceable |
| Staff training | 0% | 100% sensitized |
We knew we had to comply, but it felt insurmountable. Codally turned an intimidating piece of legislation into a clear list of actions. Today, we can look our clients in the eye when we talk about protecting their data.
Deliverables
Law 25 applies to you too.
Let’s review your obligations and build a realistic compliance plan.