Articles and Insights

Get the latest news and updates from ECM Insights.


Ensure Compliance with Law 25


What is Law 25?

An Act to modernize legislative provisions as regards the protection of personal information in Quebec.

Law 25's purpose is to strengthen the protection of personal information of Quebec residents stored by the private sector. Businesses that collect, store or share information about the residents of Quebec must ensure that the legal requirements for protecting personal information are met. Additionally, Law 25 updates Quebec’s privacy laws to align more closely with international standards such as the GDPR.

Law 25 compliance is enforced by the Commission d’accès à l’information (CAI), Quebec’s data protection authority. The CAI is responsible for ensuring that organizations adhere to the law, investigating potential breaches, and handling complaints related to privacy violations. They also have the authority to impose significant penalties for non-compliance, including fines and corrective actions.

To maintain compliance with Law 25, business must retain records and evidence of activities related to personal information protection.

Maintaining a comprehensive audit trail on an organization’s information is a necessity for Law 25 compliance.


How Does Law 25 Impact Your Organization?

Organizations that operate in Quebec or serve Quebec customers must ensure compliance with Law 25. Whether you are a local business or an international company offering services to Quebec residents, this regulation requires attention.

If you're using Microsoft 365 and SharePoint, understanding how to track, log, and securely manage data is crucial to avoid non-compliance especially when it comes to the following:

  • Audit Requests:
    Under Law 25, organizations need to respond to audits and requests for personal information efficiently and accurately. This includes records of the request and consent process and any subsequent changes to that consent. Maintaing an audit trail can provide proof that consent was obtained and what the terms were, which is especially important if there is a dispute over consent.
  • Data Breaches:
    In the event of a data breach, organizations must notify both the Commission d'accès à l'information (CAI) and affected individuals if there is a risk of serious harm. Businesses need to track and document the breach discovery, the investigation, notification efforts, and the steps taken to mitigate harm. An audit trail helps demonstrate that the company responded properly and within the required timeframe.

Consequences of Non-Compliance with Law 25:

Inadequate transparency and data handling could lead to fines, reputational damage, and legal challenges.


Achieve Law 25 Compliance with Microsoft 365 and Audit Vault for M365

Audit Vault for M365 seamlessly integrates with Microsoft 365 and extends your audit log retention beyond Microsoft’s limits. With an E3 license, audit logs are stored for 180 days, and with an E5 license, they’re kept for only 1 year. However, under Law 25, your organization may need to access audit logs for much longer periods. Audit Vault for M365 preserves your audit history indefinitely, providing unlimited retention and traceability at a fraction of the cost compared to Microsoft’s offerings.

Audit Vault for M365 is the ideal solution to ensure compliance with Law 25. Here's how it helps:

  • Complete Audit Trail Visibility: Audit Vault provides a full history of audit logs (who, what, where, when and how of any activity), helping you track and secure every interaction with personal data across Microsoft 365 and SharePoint (ex. who viewed my documents).
  • Data Integrity & Traceability: Ensure that all audit records related to personal information are complete, accurate, and easily retrievable.
  • Efficient Responses to Audit Requests: Be ready to meet Law 25’s demands for transparency and auditability with fast, comprehensive audit reports, and enable the ability to view your item’s audit history directly from SharePoint.
  • Automated Compliance: With Audit Vault for M365, you can maintain compliance without additional manual oversight, safeguarding your data in line with regulatory requirements.

Become Law 25 Compliant in SharePoint Online with Audit Vault for M365.

Contact us to learn how Audit Vault for M365 can help your business meet Law 25 compliance standards.