Law 25 action plan in 7 steps for an SMB

You have fifteen priorities, two part-time employees, and no dedicated "compliance" budget? We get it. Here is a practical roadmap to start or consolidate your Law 25 compliance: without aiming for perfection on day one.

The 7 steps

Choose your budget based on real risk: a local shop with no web form does not have the same urgencies as an SMB that sells online and centralizes health data in a CRM.
  1. Appoint the privacy officer and publish their contact details (details): monitored email, written mandate.
  2. Inventory the data: clients, employees, website, email, CRM, payroll, cloud services.
  3. Map the flows: who collects what, where it is stored, which vendors access it.
  4. Update policies: internal (employees) and external (site, clients), dated and understandable.
  5. Secure access: passwords, multi-factor authentication, backups, least privilege.
  6. Train teams: phishing, file sharing, transfers outside Quebec (training).
  7. Measure and review: documented incidents, internal audits, site scan after each major change.

Minimum documents to have

Prioritization if you are overwhelmed

Suggested order for quick impact:

  1. Published privacy officer + working email inbox for requests.
  2. Incident procedure written on one page (guide).
  3. Web policy + cookie banner aligned with reality (CAI requirements).
  4. Critical vendor clauses (host, CRM, marketing): see vendors.
  5. PIA only on high-risk projects (PIA).

Assess before the plan: express checklist. General context: Law 25 in plain language.

In brief

Useful references

This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Step 7 includes a scan after each major redesign: that is often where policy and reality diverge. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.