Law 25 action plan in 7 steps for an SMB
You have fifteen priorities, two part-time employees, and no dedicated "compliance" budget? We get it. Here is a practical roadmap to start or consolidate your Law 25 compliance: without aiming for perfection on day one.
The 7 steps
Choose your budget based on real risk: a local shop with no web form does not have the same urgencies as an SMB that sells online and centralizes health data in a CRM.
- Appoint the privacy officer and publish their contact details (details): monitored email, written mandate.
- Inventory the data: clients, employees, website, email, CRM, payroll, cloud services.
- Map the flows: who collects what, where it is stored, which vendors access it.
- Update policies: internal (employees) and external (site, clients), dated and understandable.
- Secure access: passwords, multi-factor authentication, backups, least privilege.
- Train teams: phishing, file sharing, transfers outside Quebec (training).
- Measure and review: documented incidents, internal audits, site scan after each major change.
Minimum documents to have
- Privacy incident register (even "small" events).
- Processing register or equivalent inventory (purposes, retention, third parties).
- Internal policy (employees, access, personal devices if allowed).
- External policy published on the Web: see SMB template and web essentials.
Prioritization if you are overwhelmed
Suggested order for quick impact:
- Published privacy officer + working email inbox for requests.
- Incident procedure written on one page (guide).
- Web policy + cookie banner aligned with reality (CAI requirements).
- Critical vendor clauses (host, CRM, marketing): see vendors.
- PIA only on high-risk projects (PIA).
Assess before the plan: express checklist. General context: Law 25 in plain language.
In brief
- Seven steps: privacy officer, inventory, flows, policies, security, training, review.
- Four minimum documents: incidents, processing, internal policy, web policy.
- If overwhelmed: privacy officer, incident, public site, critical vendors, then targeted PIA.
- Compliance is a documented marathon, not a Friday afternoon sprint.
Useful references
- CAI, Personal privacy protection: guides and tools to structure your program.
- P-39.1 Act (private sector): reference text for obligations.
- Express checklist: yes/no self-diagnosis in a few minutes.
This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Step 7 includes a scan after each major redesign: that is often where policy and reality diverge. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.