Québec Law 25 and Third-Party Risk Management

In the event of a confidentiality incident involving personal information:

a. Take reasonable measures to reduce the risks of harm to the affected individuals and prevent similar incidents from occurring again.

b. Notify the Commission and the affected individual if the incident poses a risk of serious harm.

c. Maintain a record of incidents, a copy of which must be provided to the Commission upon request.

Respond to, report on, and mitigate the impact of third-party vendor data protection incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities in your third-party incident response program should include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive vendor reporting
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates for internal and external stakeholders

Establish practices that will allow you to react appropriately and quickly in the event of a confidentiality incident involving personal information (e.g., incident response plan and staff directive).

Consider structuring incident response practices around a common industry best practice framework for incident management such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61.

Inventory the personal information held by your company (or on its behalf by a third party) and assess its sensitivity.

Start by building a map to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data.

Conduct a Privacy Impact Assessment (PIA) when required by the law, for example, before disclosing personal information outside of Québec.

Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. Leverage the PIA to evaluate the origin, nature and severity of the potential risk and provide recommendations for mitigating identified risks and ensuring compliance with privacy regulations.

Then, assess vendor data privacy controls using a dedicated Law 25 survey. The survey should be designed to identify risks and map them to controls for a clear view of potential hot spots.

Destroy personal information when the purpose of its collection is achieved or anonymize it for use in serious and legitimate purposes, subject to conditions and a retention period specified by law.

Automate offboarding procedures to reduce your organization’s risk of post-contract exposure. Seek solutions that enable you to:

• Schedule tasks to review contracts to ensure all obligations have been met
  Issue customizable contract assessments to evaluate status
• Customize surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments and more
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
  Leverage built-in automated document analysis.
• Take actionable steps to reduce vendor risk with remediation recommendations and guidance
• Visualize and address compliance requirements by mapping assessment results to other regulations and frameworks

Since the inventory of personal information is evolving, it is important to keep it up to date to account for changes that may have occurred within your company (e.g., new collection of personal information for a project) and to ensure that you plan your actions adequately and comply with all your obligations.

Continuously monitor for third-party data breaches. Identify types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Assess the project's compliance with privacy laws.

Address privacy regulations by mapping risks and responses to controls, gaining percent-compliance ratings, and generating stakeholder-specific reports.

Implement strategies and measures to avoid these risks or reduce them effectively.

Automate risk identification based on established thresholds and augment practices with workflows that escalate identified risks to the proper stakeholder for immediate review and disposition.

Recommend specific remediations or be willing to accept compensating controls where there are control deficiencies identified in data privacy practices.