What is Law 25?
Law 25, officially titled the Act to Modernize Legislative Provisions Respecting the Protection of Personal Information, was adopted in Quebec to enhance the protection of personal information in both the public and private sectors. This law aims to modernize practices related to the collection, use, communication, and protection of data in the digital age.
Key Dates of Law 25:
September 22, 2021: Adoption of Law 25 by the Quebec National Assembly.
September 22, 2022: Implementation of the first provisions, including new transparency and accountability requirements.
September 22, 2023: Enforcement of requirements regarding consent and data portability rights.
September 22, 2024: Deadline for full compliance, including enhanced data security and breach notification obligations.
Impacts on Customer Contact Centers
Strengthening Consent Obligations
Explicit Consent: Contact centers must obtain clear and explicit consent before collecting, using, or disclosing personal information.
Data Usage Information: It is crucial to inform customers about the intended use of their data, including the specific purposes for which it is collected.
Right to Erasure and Portability
Right to Erasure: Contact centers must allow individuals to request the deletion of their personal data when it is no longer necessary.
Right to Portability: Individuals have the right to receive their personal data in a structured, commonly used format and to transfer it to another organization.
Data Management and Protection
Increased Responsibility: Contact centers must secure personal information with appropriate measures to prevent unauthorized access, loss, or theft.
Privacy Impact Assessment: A privacy impact assessment must be conducted before implementing any new program involving personal information.
Breach Notification Obligation
Data Breach Notification: In the event of a data breach, contact centers must promptly notify affected individuals and the Quebec Commission d’accès à l’information.
Training and Awareness
Employee Training: All employees must be trained on new legal obligations regarding personal data protection.
Privacy Policy: A clear and accessible privacy policy must be established and communicated to all employees and clients.
Consequences of Non-Compliance
Penalties and Fines: Non-compliant businesses may face significant fines and other sanctions.
What Should Businesses Do?
To comply with Law 25, businesses should:
- Review Current Policies and Procedures.
- Manage Customer Consent.
- Ensure Data Security.
- Implement Breach Notification Procedures.
- Train and Educate Employees.
- Respect Individuals’ Rights.
- Check Integrations and Partnerships for compliance.
Specific Impacts on CCaaS Solutions
Data Security
Businesses must ensure that CCaaS (Contact Center as a Service) providers offer security measures compliant with Law 25, such as data encryption and strict incident management.
Consent
CCaaS solutions must ensure that communication scripts and call recordings obtain explicit consent from clients for the collection and use of their data.
Contractual Responsibility
Contracts with CCaaS providers should include specific clauses related to data protection and compliance with Law 25.
Data Transfer
If personal data is transferred outside Quebec, businesses must ensure that it receives protection equivalent to that required by Law 25.
Incident Management
Businesses should have procedures in place to promptly notify data breaches to the Commission d’accès à l’information and affected individuals.
Management of Client Data by Third Parties
Businesses must apply strict governance over data shared with third parties, ensuring they comply with Law 25 obligations.
Training and Awareness
Employee training on Law 25 and best practices for data protection is essential, especially for those using CCaaS solutions.
Automation for Compliance
Tools, such as call recording software that pauses during the exchange of personal information, should be implemented.
What Paxyl Has Done
To comply with Law 25, Paxyl has implemented the following measures:
- Designation of a Chief Compliance Officer for Personal Data Protection.
- Identification and classification of collected and processed personal data.
- Development and implementation of clear policies for managing personal information.
- Implementation of robust security measures.
- Mechanisms for accessing and correcting personal information.
- Regular employee training programs.
- Regular audits to ensure compliance with data protection policies.
Non-Solicitation
The Genesys Cloud solution includes advanced call management features that help businesses comply with non-solicitation rules, such as “Do Not Call” (DNC) lists. By using automated mechanisms to filter numbers on DNC lists, Genesys Cloud ensures businesses adhere to telecommunications regulations, avoiding unsolicited calls and potential penalties. This feature helps protect the company’s reputation and ensures ethical and legal management of communication campaigns.