All phases of Law 25 have been in force since September 2024. The data shows it unequivocally: the vast majority of Quebec SMEs have not reached the level of compliance required by the law. And the main obstacle is not a lack of goodwill — it is the absence of specialized resources within reach.
The real numbers: where do Quebec SMEs stand?
Since September 2023, several independent surveys and audits have sought to measure the real level of business compliance. The results are consistent — and concerning.
The most telling figure is probably this one: 61% of businesses say they have a compliance plan (Gowling WLG survey of more than 100 organizations, 2023), but only 3% have actually implemented the practices required by the law (GRIC/Université de Sherbrooke survey, 2023). The gap between intention and reality is enormous.
On the side of the Commission d'accès à l'information (CAI), the figures from its 2024-2025 annual report speak for themselves: the number of oversight complaints jumped by +227%, and the confidentiality incident notifications submitted exploded by +559%. The CAI is no longer in an observation posture — it is in enforcement mode.
- Penal fines: up to $25,000,000 or 4% of worldwide revenue (whichever is higher)
- Administrative penalties (CAI): up to $10,000,000 or 2% of revenue
- Punitive damages: up to $1,000 per person for an alleged violation
- In the event of a repeat offence: the amounts are doubled
Source: Law 25, s. 91 to 93.1; CAI — Sanctions, entreprises et poursuites
Why are so many SMEs behind?
It is not for lack of will. The Gowling WLG survey reveals that 69% of organizations are asking for more clarity on what the law concretely requires, and that 67% are worried about penalties. The awareness of the risk is there — but the means to manage it are lacking.
The GRIC/UdeS survey identifies three main obstacles among SMEs:
Law 25 compliance is not a standard IT skill. It sits at the intersection of law, governance, risk management and operational processes. Few SMEs have this expertise in-house.
In an SME, managers and their teams are already juggling day-to-day operations. Regulatory compliance too often ends up in the "we'll deal with that later" column — until it's too late.
Retaining a specialized lawyer or hiring a full-time Privacy Officer represents an investment that most SMEs cannot take on. The result: inaction becomes the "default strategy."
The Privacy Officer: an obligation you cannot delegate at random
Since September 2022, every business subject to Law 25 must designate a Privacy Officer (the person in charge of the protection of personal information). By default, the most senior executive holds this role — but the law explicitly allows it to be delegated to an external third party.
- Maintain the inventory of personal information collected and processed
- Keep and update the register of confidentiality incidents
- Oversee the completion of Privacy Impact Assessments (PIAs)
- Respond to individuals' requests for access, correction and deletion
- Train employees on their data protection obligations
- Review and update privacy and consent policies
- Ensure the compliance of contracts with subcontractors who process data
- Act as the official point of contact for the Commission d'accès à l'information (CAI)
It is a part-time role, but one that requires sharp expertise. Too often, it is handed to the IT manager or the general manager — who have neither the training nor the time to do it properly. That is where the gap opens up between "having a designated Privacy Officer" and "being genuinely compliant."
The Privacy Officer on demand: a specialist's expertise, without the hire
Synéra's Privacy Officer on demand service responds directly to this problem. It gives you access to a certified, experienced Privacy Officer, mandated as the external person responsible for your Law 25 compliance — without having to hire, train, or manage an internal resource.
In concrete terms, here is what it changes for your business:
In-house Privacy Officer vs Privacy Officer on demand: the honest comparison
How does it work in practice?
It all starts with a 30-minute meeting, free and with no obligation. During this call, our team assesses your current situation, identifies your priority gaps, and recommends the plan best suited to your organization.
The right time to act is now
The data is clear: non-compliance with Law 25 is the norm, not the exception. But this reality also creates a real opportunity for the businesses that decide to act — to stand out, protect their reputation, and avoid fines that can reach into the millions.
Synéra's Privacy Officer on demand is not a luxury reserved for large companies. It is precisely because you are an SME — with limited resources, multiple priorities, and zero tolerance for surprises — that this model was designed for you.
If you are among the 97% who are not yet compliant, you are not alone. But the time to "deal with it later" is over.
Start with a free 30-minute assessment
No obligation. Our team analyzes your situation, identifies your priorities, and proposes a plan tailored to your reality.
Sources cited:
· Groupe de recherche interdisciplinaire en cybersécurité (GRIC), Université de Sherbrooke — Sondage sur la conformité des PME à la Loi 25, September 2023
· Gowling WLG & IAB Canada — Law 25 Survey Report, August 2023
· Commission d'accès à l'information du Québec (CAI) — Rapport annuel d'activités et de gestion 2024-2025
· Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25), s. 91–93.1
· CAI — Sanctions, entreprises et poursuites (cai.gouv.qc.ca)