While new requirements of the Act modernizing legislative provisions regarding the protection of personal information in the private sector, commonly known as Bill 25, have just come into force, Quebec SMEs overestimate their ability to protect personal information, that is to say any data which allows a person to be directly or indirectly identified.
However, analysis of the actual practices of these SMEs shows that only 3% of them have actually implemented all the practices necessary to comply with the requirements of phase 1 (see capsule) of Law 25, which has entered into force. a year ago, observes the GRIC. As for phase 2, no SME in the sample has implemented all of the required practices, although this has been an obligation since September 22 of this year.
SMEs therefore seem poorly prepared to meet the full requirements of Law 25, expected by September 22, 2024. And they do not seem motivated. Less than one in two Quebec SMEs (40%) say they have a real intention of complying with Bill 25 in the coming years.
“The general lack of manpower to carry out the organization’s current activities, the lack of skills in relation to Law 25 and a lack of time to devote to these activities are cited as real obstacles to the implementation of the Law”, reports the GRIC study.
“SMEs do not fully understand the issues,” analyzes Manon G. Guillemette, co-director of research at GRIC and director of the department of information systems and quantitative management methods (SIMQG) of the School of Management at the University of Sherbrooke. “For smaller companies, it is not natural to implement rigorous personal data management practices. And when they try to get support, the experts sometimes arrive with procedures that are too cumbersome and too complex. »
It is to meet this need that In-Sec-M, the Quebec cybersecurity cluster, created a capacity building program for SMEs to help them comply with Law 25.
After a self-diagnostic questionnaire, which allows the SME to know where it stands in terms of compliance, a 90-minute awareness session introduces it to Law 25 and cybersecurity concepts. A three-hour training course explains best practices to protect personal information. A cybersecurity expert can even come and give him a helping hand for ten hours. A subsidy from the Quebec government even reduces the cost of training.
But In-Sec-M is struggling to attract SMEs, confides Nicolas Duguay. “We could deliver our program to 25 times as many SMEs, without experiencing a capacity problem. » So far, only 5,000 SMEs have taken the time to sit down with the expert that In-Sec-M introduced to them to help them with their compliance. Quebec has 255,000 SMEs, according to data from Statistics Canada.
The young company TechGuys, from Longueuil, followed the In-Sec-M program. This SME founded by three friends at the start of the pandemic is experiencing strong growth in its activity of creating mobile applications and websites. The three entrepreneurs, Carl Lucier, Danyk Diotte and Philippe Pépin, saw this training as an opportunity to strengthen the service provided by the company to its clients.
“To provide good advice, we must be able to inform our clients when something could impact their project,” explains Carl Lucier. “We said to ourselves that we had to set an example to be able to advise them well. » And so the entire TechGuys team followed the training on Law 25.
If the Longueuil company is offering this awareness-raising, it is also because the requirements of the law are not clear, continues Carl Lucier. “Just providing the information is a big contribution, it’s so difficult to know what to do. »
Since September 22, 2022 (phase 1), Bill 25 requires organizations to designate a person as responsible for the protection of personal information, and to have provisions in place in the event of an incident. Since September 22, 2023 (phase 2), robust processes must govern the collection and management of personal information, with sanctions in the event of failure to comply with these obligations. On September 22, 2024 (Phase 3), each organization must be able to communicate computerized personal information upon request from the individual concerned.
