Notifications
Clear all
Topic starter
08/06/2026 4:48 pm
TL;DR: Quebec Law 25 expands privacy rights beyond PIPEDA with stricter DPIA, consent, breach notification, and data subject requirements, and noncompliance can trigger fines up to 25,000,000 CAD or 4 percent of gross revenue, according to Cyera. For IAM and NHI teams, the practical issue is not just privacy compliance, but proving who can access data, what they do with it, and where it moves.
NHIMG editorial — based on content published by Cyera: Quebec Law 25: What’s New?
Questions worth separating out
Q: How should organisations govern access to personal data under Quebec Law 25?
A: They should treat access governance as part of privacy compliance, not a separate IAM task.
Q: Why do non-human identities matter in privacy compliance?
A: Non-human identities often sit on the shortest path to personal data because they power integrations, automation, and analytics.
Q: What should teams prioritise first for Quebec Law 25 readiness?
A: Start with data discovery, access mapping, and jurisdictional review.
Practitioner guidance
- Map Quebec personal data to identity paths Build an inventory that links personal data stores to the humans, external users, and non-human identities that can reach them.
- Tie DPIAs to data transfer decisions Require a documented DPIA before any system change that introduces new data flows, new jurisdictions, or new processing purpose.
- Separate access and use evidence Retain logs that show both successful access and subsequent use of personal data so incident teams can determine whether an event is a confidentiality incident under Law 25.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- The side-by-side PIPEDA versus Law 25 differences that matter for privacy programme scoping and legal review.
- How Cyera maps data discovery and classification to subject access requests, erasure validation, and DPIA preparation.
- The platform workflow for spotting Quebec personal information outside approved jurisdictions and triggering review.
- The identity access features that catalogue human and non-human access paths to regulated data.
👉 Read Cyera's analysis of Quebec Law 25 and data privacy governance →
Quebec Law 25: what changes for data privacy and access control?
Explore further
08/06/2026 6:38 pm
Quebec Law 25 turns data access governance into privacy governance. The article makes clear that compliance is no longer limited to storage location or breach response. Once unauthorized use is part of the confidentiality incident definition, organisations need to know which identities can access personal data and how that access is exercised. The implication is that identity governance and privacy compliance are now a single control plane, especially where NHIs and external users touch regulated data.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is a useful benchmark for privacy teams evaluating machine access lifecycle controls.
A question worth separating out:
Q: Who is accountable when unauthorized use of personal information occurs?
A: Accountability sits with the organisation that controls the data, but the operational evidence often comes from IAM, data security, and legal teams together. The practical test is whether the business can show who accessed the data, what they did with it, and whether the action was permitted under policy and law.
👉 Read our full editorial: Quebec Law 25 raises the bar for data privacy governance
