Law 25 compliance is not reserved for large organizations with dedicated legal teams. But whether you are a 10-person business or a 500-employee company, certain mistakes come up consistently. Not out of bad faith, but because the process is not instinctive for most managers.
Here are the five most common mistakes, and what you can do to avoid them.
1. Treating Compliance as an IT Project
Why it is a problem: Technology is part of the answer, but protecting personal information is fundamentally an organizational issue. Policies, processes, training, governance: all of this goes well beyond the IT department's mandate.
When compliance is delegated entirely to the IT team, several dimensions are systematically overlooked: paper files, internal communication practices, human resources management, data handling by sales and customer service teams. These gaps are often only visible once an incident occurs.
What to do instead: Treat compliance as a change management project. The person responsible for personal information protection must have cross-functional access to the organization, not be confined to one department. IT is a partner, not the owner.
2. Ignoring Physical Files
Why it is a problem: Law 25 applies to personal information regardless of the medium. A filing cabinet containing employee records, signed client forms, or health documents is as fully covered as a SQL database.
Many organizations conduct a rigorous digital inventory and completely forget what is printed, archived, or still circulating on paper. Yet a misplaced paper file, one sent to the wrong recipient, or one accessible to unauthorized people constitutes a privacy incident in the same way as an electronic data breach.
What to do instead: Include physical documents in your personal information inventory. Define retention and destruction rules for paper documents (secure shredding). Ensure that spaces where these documents are accessible are controlled.
3. No Incident Response Plan
Why it is a problem: Law 25 requires notification to the Commission d'accès à l'information (CAI) and to the affected person within 72 hours when an incident presents a serious risk of harm. This deadline starts running as soon as you become aware of the incident.
Learning about the 72-hour rule in the middle of managing an incident is the worst possible way to discover it. Without a plan prepared in advance, you will lose time figuring out what to do, who to contact, and how to draft the notification, while the clock is already running.
What to do instead: Prepare an incident response plan before an incident occurs. This plan should include: who is responsible for coordination, how to assess the risk of harm, notification templates for the CAI and affected persons, and the registry where the incident will be documented.
4. A Privacy Policy Written Once, Never Updated
Why it is a problem: A privacy policy is a living document. Every time you adopt a new digital tool, change your collection practices, add a vendor who processes data on your behalf, or modify your retention periods, your policy should be reviewed.
A policy that describes practices you no longer follow, or that omits current practices, creates a misrepresentation to your clients and employees. It can also expose you if a complaint demonstrates that what you do does not match what you declared.
What to do instead: Set an annual review schedule for your policy. Add a policy check to the process of adopting any new vendor or tool that handles personal information. Document the dates of revisions and the changes made.
5. No Employee Training
Why it is a problem: An excellent policy is worthless if the people who handle personal information every day do not know it, or do not know how to apply it. The vast majority of privacy incidents have a human cause: a sending error, a shared password, an access request ignored because the employee did not know what to do with it.
Law 25 explicitly requires training and awareness measures (art. 3.2). This is not a recommendation; it is an obligation.
What to do instead: Train all employees who handle personal information, starting at onboarding and annually thereafter. Training must cover the basics of the law, the internal policy, and the procedures specific to their role. Document the training to be able to demonstrate it.
These five mistakes share something in common: they are all avoidable with clear organization and a little advance preparation. Law 25 compliance is not a one-time project to complete and forget; it is an ongoing practice that integrates into operations.
Observantia is designed to help organizations structure this practice: personal information inventory, incident management, team training, and compliance documentation, all in one place.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.