Quebec’s Bill 25 has undeniably marked a turning point in the province’s digital landscape. By imposing strict rules on personal data protection, it has compelled businesses to review their practices and adopt new technologies. The data portability phase, which came into effect on September 22, 2024, represents a significant new challenge for organizations.
Data Portability: What are Your Obligations?
Here are the steps to follow when, for example, Tom Boutet requests his personal information:
1. Receiving and Verifying the Request:
-
- Identifying the request: The company must formally recognize the portability request as such.
- Verifying identity: The company must ensure that the request is indeed from Tom Boutet and not a third party.
- Assessing the request: The company must determine if the request is complete and if it pertains to personal data that it actually holds.
2. Identifying Relevant Data:
-
- Data inventory: The company must inventory Tom Boutet’s personal data held in its various systems (CRM, website, applications, etc.).
- Selecting data to transmit: Only data that is directly linked to Tom Boutet and necessary for the exercise of his rights should be transmitted.
3. Choosing the Output Format:
-
- Readable and structured format: The chosen format must be readable by both humans and machines. CSV or JSON formats are often preferred.
- Interoperability: The format must allow Tom Boutet to easily reuse the data in another context.
4. Data Transmission:
-
- Secure transmission: Data must be transmitted securely to prevent any risk of leakage.
- Response time: The company has a specific deadline to respond to the request (usually one month).
- Confirmation of receipt: The company must acknowledge receipt of the request and inform Tom Boutet of the date he will receive the data.
5. Keeping a Record:
Written record: The company must keep a record of the request, its actions, and the response provided.
Do you want to ensure you can answer all of your obligations?
Contact our Analytics teamAn Ever-Evolving Regulatory Landscape
Privacy concerns have led to a proliferation of regulations worldwide, with landmark laws such as the GDPR in Europe and the CCPA in the United States. By adopting Bill 25, Quebec has aligned itself with these international trends.
While the initial phases of the law, focused on appointing a data protection officer and obtaining explicit consent, caused some stir, it was with data portability that businesses truly realized the scale of the task. The rush to CMPs (Consent Management Platforms) is evidence of this: many organizations found themselves behind and had to implement solutions to comply with the new requirements quickly.
Data Portability: Increased Complexity
Data portability obliges companies to provide individuals, upon request, with a copy of all their personal data in a structured and readable format. This obligation raises many questions:
- What data must be provided? It is essential to clearly define the scope of the data to be transmitted, considering the various sources (CRM, website, applications, etc.).
- In what format? The output format must be standardized and easily understandable by the individual. CSV or JSON formats are often preferred.
- How to secure the data? Data transmission must be secure to prevent any risk of leakage.
This new requirement represents an additional challenge for companies that have developed their own CMP. Indeed, data portability was not necessarily considered when designing these custom solutions. It is, therefore, necessary to review the technical architecture and add new features.
The Role of Digital Agencies
Faced with this complexity, businesses need to be supported by experts. Digital agencies have a key role to play in:
- Raising awareness among businesses about the challenges of data portability.
- Auditing information systems to identify personal data and data flows.
- Implementing technical solutions to meet the requirements of the law.
- Training teams on data protection best practices.
In conclusion, data portability is a major issue for Quebec businesses. While this new obligation may seem burdensome at first glance, it helps strengthen consumer trust and improve personal data protection. Organizations need to adapt quickly to this new regulatory environment with the support of digital agencies.