Your organization is required to comply with Law 25 and implement an information governance program. What exactly are your obligations?
In Québec, any private enterprise that collects, processes or communicates personal information is covered by this law. It is therefore likely that it applies to you!
Let’s take a look at the main provisions of Law 25 and what they mean for your business.
What is Law 25?
What are a private business’s obligations under Law 25?
Why have an information governance program?
How can you create an effective governance program?
What is Law 25?
The Act respecting the protection of personal information in the private sector, also known as Law 25, is designed to protect the Québec population by making organizations accountable for the personal information they hold.
Some provisions of the new legislation came into effect on September 22, 2022. Others will come into effect in September 2023 and 2024, including the requirement to implement a personal information governance policy.
The Commission d’accès à l’information du Québec is the agency responsible for monitoring compliance with the law. The Commission can impose significant penalties for non-compliance, up to $25 million or 4% of a company’s worldwide sales.
What are a private business’s obligations under Law 25?
Since September 22, 2022, Law 25 imposes a number of responsibilities for private enterprises in Québec, regardless of their size.
Appoint a Privacy Officer
The enterprise must appoint a Privacy Officer to ensure compliance with the law. This role will fall to the person with the highest authority in the organization, but some or all of the duties can be delegated to another individual. Their title and contact details must be published on your website.
Maintain a register of confidentiality incidents
It is also necessary to keep a register of confidentiality incidents. You must be able to provide a copy of this register to the Commission d’accès à l’information at its request. In addition, if an incident occurs that poses a serious risk of harm, you are required to notify the Commission and the individuals involved.
Forward information under certain conditions
Lastly, new rules allow you, under certain conditions, to disclose personal information without the consent of the individual concerned when concluding a commercial transaction. You should make sure that the supplier to whom you are disclosing this information complies with the obligations set out in the law.
For a detailed description of your current and future obligations, consult the Commission d’accès à l’information’s checklist (French only).
Why have an information governance program?
New provisions of Law 25 will come into effect as of September 22, 2023. Among them: the obligation to have established policies and practices regarding personal information governance.
There are several advantages to creating an information governance program, beyond compliance with legal obligations. Here are a few of them.
Clearly defining everyone’s responsibilities and obligations
The information governance program is designed to ensure that privacy responsibilities and obligations are clearly defined and understood by all.
Better protecting information
It helps protect the information within the organization by making it accessible only to those who need it.
Reacting efficiently
It is a tool that fosters a quick response in the event of a confidentiality incident despite the preventive measures in place.
Showcasing your organization’s diligence
This program also serves as proof that the organization has acted diligently if a privacy incident occurs that poses a serious risk of harm.
Not only can a privacy incident be costly to your organization, it can also damage its reputation or compromise profitability. That’s why it is important to have an information governance plan with adequate protection for the organization.
How can you create an effective governance program?
To build an effective information governance program, it is important to take an inventory of the personal information your organization holds. You should also map out how this information flows through the organization. Among others, this will allow you to identify the type of information you collect, define the activities for which it is used and determine who should have access to it.
During this process, you may also discover unnecessary information. For example, if your company only has about 30 workers, having more than 500 employee records in your system is not normal. If you find that you have retained personal information that is no longer useful, it is important to destroy it.
Set a data retention schedule
This is one of the reasons why it is advisable to prepare a data retention schedule, which states that after a certain date, the information you have collected will be destroyed. For example, at the end of a hiring process, you will need to delete or anonymize personal information contained in the resumes you received.
These are just a few of the factors to consider when developing an effective information governance plan. Other aspects you should address include:
- Setting up an incident management plan;
- Introducing surveillance measures;
- Documenting staff roles and responsibilities.
For advice on implementing an information governance program tailored to your organization, contact our team of experts.
This article was written with Sébastien Meunier, Vice-President of information governance at Raymond Chabot Grant Thornton.
09 Feb 2023 | Written by :
Sébastien Meunier is expert in information governance at Raymond Chabot Grant Thornton.
See the profileYou could also like to read
Next article
Updated on January 23, 2024
There are tax implications when selling a property located in the U.S. that you need to be aware of to avoid unpleasant surprises.
When a Canadian resident sells U.S. real property, whether it is in Florida or elsewhere, withholding tax of 15% of the sale price is payable. For example, a home that sells for US$400,000 would require that US$60,000 be remitted to the Internal Revenue Service (IRS). This amount is collected from the sale price at the time of the transaction, either by the buyer or the agent, and then remitted to the IRS.
However, there are exceptions. The withholding tax does not apply if the sale is for less than US$300,000 (or it is reduced to 10% in the case of a sale between US$300,000 and US$1M) and the purchaser signs an affidavit stating that the new property will be a principal residence that will be occupied at least 50% of the time during the two years following the purchase.
The IRS applies this requirement under the Foreign Investment in Real Property Tax Act (FIRPTA) to ensure that the seller does not avoid its tax obligations in the U.S.
The good news is that the property seller will be able to recover some, if not all, of the withholding tax that was paid at the time of the transaction.
Recovering the tax withheld
The rate of 15% of the sale price is generally higher than the effective U.S. tax rate, which is between 0% and 20% of the capital gain. The seller may therefore obtain a refund for any amount already paid in excess of the actual tax due.
In order to recover the funds, the seller will have to file a U.S. income tax return, which will show the capital gain on the sale of the property. The funds withheld for FIRPTA will then be deducted from the tax liability and the balance will be refunded.
Note that the seller will, in all cases, have to file a US tax return even if he has benefited from the exemption from the 15% withholding tax as described above.
The sale of real property in the U.S. does not relieve Canadian residents of their obligation to report the transaction and pay tax on the capital gain in Canada. However, the Canada – United States tax treaty makes it possible to avoid double taxation.
What forms are required?
Naturally, there are tax forms to be completed for this process. The 15% withholding tax is remitted to the IRS using forms 8288 and 8288-A. Once the forms have been processed and the withholding tax received, the IRS will remit a stamped copy of form 8288-A, which the seller needs to file the U.S. income tax return.
At the time of the sale, the seller must obtain an ITIN (Individual Taxpayer Identification Number). Equivalent to the social insurance number in Canada, this number is mandatory for the 8288 and 8288A forms to be processed and will be needed later to file a U.S. income tax return in order to recover some or all of the 15% withholding.
Canadian passport certification
The application to obtain an ITIN must be accompanied by a certified copy of your passport. Certification by Passport Canada can take weeks or even months. Furthermore, you will not have your passport during this time since it must be sent to Passport Canada for certification. The good news is that Raymond Chabot Grant Thornton is accredited by the U.S. tax authorities to certify Canadian passports the same day they are requested.
Our cross-border tax experts are also available to prepare the prescribed tax forms and the U.S. and Canadian tax returns simultaneously.
In short, it is in your best interest to consult an international tax expert with in-depth knowledge of both countries’ tax rules in order to avoid unpleasant surprises or long delays. This expert will be better able to accompany you in order to not only minimize the financial impact of the sale of real property in the U.S., but also recover your money as efficiently and quickly as possible.
09 Feb 2023 | Written by :
Kais Yousfi is a tax expert at Raymond Chabot Grant Thornton. Contact him today!
See the profileNext article
Updated on February 19, 2024
Many companies are slow to change their payment methods. However, this is a major issue affecting their productivity.
The sooner your organization embraces this transformation, the sooner you will gain productivity and be equipped against threats to your data security. However, with so many available solutions, a clear strategy is needed.
Cheques, an outdated payment method
Even today, many organizations still issue cheques as payment. However, this method is expensive. According to some studies by Payments Canada, it costs between $15 and $20 to issue a single cheque. Furthermore, according to the Association for Financial Professionals (AFP), cheque fraud accounted for 66% of total fraud in 2021.
Despite the facts and studies on the subject, organizations continue to operate with this archaic payment method, under the false impression that any change would be too complex to implement.
Efficient strategy to avoid risk
Other companies have gone electronic, but without a clear enterprise-wide strategy. The result is redundant payment solutions and multiple, sometimes incompatible, processes within the same organization. This approach creates confusion, puts data security at risk and fosters fraud.
Additionally, the lack of interaction between the different systems requires numerous manual processes that hinder controls and productivity and increase the possibility of errors.
Optimized processes that will make you less vulnerable
In this situation, your company’s maturity is determined by how it complies with industry best practices in terms of payments and payment security.
To assess it, you need to analyze your processes and determine your vulnerabilities by asking yourself these important questions:
- Is the use of cheques still predominant in your company?
- Do you operate with manual processes and controls?
- Are there several payment solution providers, including banks, in your organization?
- Do you have processes in place for payments to providers, payroll and others?
- Is it easy to trace back the complete cycle of a specific payment (reason for payment, approval, issue, receipt, reconciliation)?
- How long would it take to detect a case of fraud?
- Do you have any measures to protect your providers’ banking data?
A technological solution for implementing best practices
For payment digitization, optimization and automation, the payment factory is simply the most recommended solution for most businesses.
A payment factory is a technological solution that meets all the abovementioned challenges. It allows for:
Centralization
A payment center is the bridge between the different systems and the financial institutions. It centralizes the processing of payments from the various internal systems.
Increased controls
The payment factory allows for flexibility in approval models and potential fraud detection. For example: three or more levels of approvals for payments with a non-standard value, or additional authorization for a first payment to a new provider.
Automation
The payment factory makes it possible to automate several steps in the payment cycle. For example: the payment notification to the beneficiary or reconciling payments by posting accounting entries.
Integration
Interfacing between different systems and financial institutions is key. It eliminates manual data entry, optimizes the entire process and helps achieve the desired efficiency. It also ensures increased security when information flows from one system to another.
As a technological solution, a payment factory would be the foundation for future payment solutions such as Interac for Business, real-time payments and many others.
In short, the payment factory will allow you to eliminate or reduce your vulnerabilities, as well as accelerate your business processes so that you can spend more time on profitable business activities.
03 Feb 2023 | Written by :
Louis-Étienne Bérubé is a management consulting expert at Raymond Chabot Grant Thornton.
See the profileNext article
The Grant Thornton International IFRS team has published the 2023 edition of Navigating the changes to International Financial Reporting Standards: A briefing for preparers of IFRS financial statements. The publication is designed to give preparers a high-level awareness of recent changes that will affect companies’ future financial reporting.
This publication covers both new standards and interpretations that have been issued as well as amendments made to existing ones, giving a brief description of each. The 2023 edition of the publication has been updated to include changes to International Financial Reporting Standards (IFRS) that have been published between January 1, 2022 and December 31, 2022.
