Law 25 Compliance & Privacy Checklist for Businesses

Quebec's Loi 25, commonly known as Law 25 or Bill 64, is one of the most demanding privacy frameworks in North America. The failure to comply can cost you penalties reaching $25 million CAD or 4% of your worldwide turnover.

At DPO Consulting, we have helped organizations across Canada and internationally understand their obligations, close compliance gaps, and build privacy programs that hold up to regulatory scrutiny.
Talk to a Law 25 compliance expert
TRUSTED BY
View of the Houses of Parliament and Big Ben in London with Westminster Bridge over the River Thames at sunset.
Determine necessity

Law 25 Compliance Support for Organizations Operating In or Targeting Quebec

Law 25 applies to any organization, public or private, based in Quebec or not, that handles the personal information of Quebec residents. That broad scope means thousands of Canadian and international businesses must meet its requirements, including mandatory appointment of a Privacy Officer, robust consent mechanisms, documented Privacy Impact Assessments (PIAs), and enforceable data subject rights.

DPO Consulting delivers structured, practical law 25 privacy compliance programs built for organizations at every stage of their compliance journey.
Our services

Expert Law 25 Compliance Services for Businesses

It’s important that the individual or organization you assign as your UK representative has extensive experience and familiarity with UK GDPR regulation to avoid any regulatory shortfalls.
Talk to a Law 25 compliance expert

Law 25 Compliance Assessments and Gap Analysis

Our certified privacy consultants conduct thorough assessments of your current data practices against the full requirements of Law 25, including data inventory, consent frameworks, governance structures, vendor contracts, and breach response protocols. The output is a clear, prioritized gap report that tells you exactly where you stand and what needs to change.

Outsourced Privacy Officer and Governance Support

Law 25 requires every organization to designate a person responsible for personal information protection. Our Outsourced Privacy Officer service gives you qualified expertise on demand, such as policy development, regulatory liaison, and ongoing oversight,  without the cost of a permanent hire.

Consent Management and Privacy Controls

From cookie banners and preference centres to privacy notices and tracking controls, we help you implement consent management solutions that meet Quebec's strict bill 64 law 25 standards while remaining practical for your users and your business.

Privacy Impact Assessments and Risk Management

Law 25 mandates a Privacy Impact Assessment in Québec (EFVP) before collecting personal information or transferring it outside Quebec. Our consultants guide you through each EFVP, identifying risks and producing regulator-ready documentation.

Law 25 Training and Internal Enablement

We deliver role-specific training for executives, HR, IT, and customer-facing teams, equipping your people to handle personal information correctly and respond to incidents with confidence.

Why Law 25 compliance matters for your organization

A lack of GDPR compliance opens the door to several potential organizational risks. Our goal is to prevent them.
Talk to a Law 25 compliance expert

Financial Penalties

The CAI can impose penalties of up to $25 million CAD or 4% of worldwide turnover for serious violations. This is active enforcement, not a future risk. Organizations without documented compliance programs are already exposed.

Data Breaches

Law 25 requires prompt notification to the CAI and affected individuals following any incident posing a serious risk of harm. Without a tested response plan, a single breach compounds your legal, financial, and regulatory exposure significantly.

Reputational Damage

Enterprise clients, procurement teams, and consumers are scrutinizing how organizations handle personal data. Non-compliance doesn't just attract fines, it costs contracts and erodes trust that takes years to rebuild. Read Quebec Law 25 Explained to understand the full commercial stakes.

We help you turn your GDPR compliance into a competitive asset.

Our consultants guarantee successful GDPR compliance in 60 days with a customized action plan based on the unique needs of your organization.

Customized strategies for your organization.

We cater to what your organization needs, and focus on delivering the highest impact.

A partner that adapts to your needs.

No matter your situation we find a way to ensure you’re GDPR-compliant.

Constantly up to date.

Always on top of new rules and regulations to ensure you stay ahead of the curve.

Complete trust and transparency.

You’ll have total insight into what we’re doing every step of the way.
Smiling middle-aged woman wearing glasses and an orange dress, holding a tablet in a modern office setting.
Why choose DPO Consulting?

Why Choose DPO Consulting for Law 25 Compliance

DPO Consulting specializes in the protection of personal data and UK GDPR compliance law. Our services are tailor-made to ensure you’re GDPR compliant no matter where you operate from.
Talk to a Law 25 compliance expert
Businessman in a blue shirt and tie giving a presentation in front of a whiteboard to four seated colleagues.
Proven experience with Quebec privacy law.
Our consultants have deep, hands-on experience with Law 25 and its evolution from Bill 64 through full implementation. We understand both the letter of the law and how the CAI interprets and enforces it in practice.
Tailored compliance programs.
There is no one-size-fits-all approach to law 25 privacy compliance. We design every program around your sector, your size, your existing controls, and your risk profile, giving you a solution that is proportionate, achievable, and defensible.
End-to-end privacy coverage.
From data collection and storage to processing and sharing, we ensure that all your activities comply with UK GDPR standards. This thorough approach helps identify potential vulnerabilities and implement corrective measures promptly.
Support every step of the way.
From initial assessments to ongoing compliance management, we offer continuous support to help maintain your data protection standards. Furthermore, hands-on training, helplines, and audit refreshers keep you compliant year-round.
Experts in UK GDPR and ICO Compliance
Staying abreast of the latest guidance from the Information Commissioner's Office (ICO) is crucial for compliance. Our deep understanding of UK GDPR and ICO guidelines ensures that your organisation meets all regulatory expectations.

Join 100+ leading organizations that have trusted us with their UK GDPR compliance.

Inquire about our UK GDPR compliance services
We make fantastic long-term partners.

As your designated GDPR compliance partner, we’re here to grow as you do and support your organizational needs accordingly.

READ STORIES FROM OUR EXISTING PARTNERS
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer
Smiling red-haired woman giving two thumbs up against a red background.
Microsoft company logo with colored squares.
Fearlessness, curiosity, and a willingness to experiment are the cornerstones of our culture. We embrace challenges with courage, nurture curiosity to drive continuous improvement, and understand that both successes and failures are invaluable teachers. Every experience contributes to our collective growth and evolution.
Floyd Miles
UI/UX Designer

Get in touch with one of our UK GDPR compliance consultants.

Whether you have a clear idea of your DPO needs or not, our team of UK GDPR consultants can help point you in the right direction and understand what needs to get done.

Contactez nous directement sur notre adresse email
contact@dpo-consulting.com

The data collected on this form are intended for DPO Consulting. They are used to process your request. They are also used for sending you our newsletter if you have consented to it by checking the box below. Mandatory data are indicated on the form by an asterisk. In accordance with the EU Regulation 2016/679 of 27 April 2016 on the protection of personal data and the amended Law "Informatique et Libertés" of 6 January 1978, you have the right to the access, rectification, deletion, portability as well as limitation and opposition to the processing of your personal data. You can exercise that right by sending an email to the following address: dpo@dpo-consulting.com.

For more information about the processing of your personal data by DPO Consulting, you can consult the Data Protection Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The data collected on this form are intended for DPO Consulting. They are used to process your request. They are also used for sending you our newsletter if you have consented to it by checking the box below. Mandatory data are indicated on the form by an asterisk. In accordance with the EU Regulation 2016/679 of 27 April 2016 on the protection of personal data and the amended Law "Informatique et Libertés" of 6 January 1978, you have the right to the access, rectification, deletion, portability as well as limitation and opposition to the processing of your personal data. You can exercise that right by sending an email to the following address: dpo@dpo-consulting.com.

For more information about the processing of your personal data by DPO Consulting, you can consult the Data Protection Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Commonly asked questions on UK GDPR compliance.

What is UK GDPR, and How Does It Differ from EU GDPR?

The UK General Data Protection Regulation (UK GDPR) is the UK's data protection framework that came into effect post-Brexit. It mirrors the EU GDPR in many respects but has been tailored to fit the UK's legal context. Key differences include:

Regulatory Authority: The UK's Information Commissioner's Office (ICO) oversees UK GDPR compliance, whereas the EU GDPR is enforced by supervisory authorities in each EU member state.

International Data Transfers: Post-Brexit, the UK is considered a 'third country' under EU GDPR. However, the EU has granted the UK an adequacy decision, allowing data to flow freely from the EU to the UK until June 2025, subject to review.

Fines and Penalties: While both regulations impose significant fines for non-compliance, the maximum fine under UK GDPR is £17.5 million or 4% of annual global turnover, whichever is higher.

It's essential for organizations operating in both the UK and EU to understand and comply with both sets of regulations

Do UK businesses still need to comply with EU GDPR?

If you offer goods or services to EU residents or monitor their behaviour, you must comply with EU GDPR as well as UK GDPR.

You can read more about the differerences between EU and UK GDPR compliance here.

What are UK GDPR compliance services?

UK GDPR compliance services encompass a range of solutions designed to help organizations adhere to UK data protection laws. These services typically include:

Data Audits: Assessing current data processing activities.
Policy Development: Creating or updating privacy policies and procedures.
Training: Educating staff on data protection principles.
Data Protection Impact Assessments (DPIAs): Evaluating high-risk processing activities.
Ongoing Support: Providing guidance on maintaining compliance.

Engaging in these services helps organizations mitigate risks and demonstrate accountability.

What Is a GDPR Compliance Audit?

A systematic review of data practices, policies, and technical controls to identify gaps and ensure alignment with GDPR requirements. The audit typically involves:

Data Mapping: Identifying what personal data is collected, processed, and stored.
Policy Review: Assessing the adequacy of existing data protection policies.
Risk Assessment: Identifying potential vulnerabilities in data handling.
Recommendations: Providing actionable steps to address compliance gaps.

Regular audits are crucial for maintaining compliance and preparing for potential regulatory inspections.

Are GDPR compliance audits mandatory?

Audits are not explicitly mandated but are considered best practice and essential for demonstrating accountability in case of an ICO investigation.

Who needs UK GDPR compliance consulting?

Any organisation processing personal data of UK residents, regardless of size or sector, can benefit from expert UK GDPR services.

Do I need a data protection cfficer (DPO) under UK GDPR?

Yes, if you’re a public authority, carry out large-scale monitoring, or process special category data on a large scale. Otherwise, you can opt instead for an external DPO.

How do UK GDPR audit services help businesses?

GDPR audit services assist businesses by:

Identifying Compliance Gaps: Highlighting areas where current practices fall short of regulatory requirements.

Mitigating Risks: Providing strategies to address vulnerabilities in data processing activities.

Enhancing Accountability: Demonstrating a commitment to data protection to stakeholders and regulators.

Preparing for Regulatory Inspections: Ensuring readiness for potential audits by authorities like the ICO.

Engaging in regular audits fosters a culture of continuous improvement in data protection practices.

Is a UK GDPR audit required for ICO investigations or inspections?

While the ICO may conduct its own audit during an investigation, having completed your own audit shows proactive compliance and can mitigate penalties.

What is the role of a UK GDPR auditor?

A GDPR auditor is responsible for:

Assessing Compliance: Evaluating an organization's adherence to GDPR requirements.
Identifying Risks: Spotting potential vulnerabilities in data processing activities.
Providing Recommendations: Suggesting actionable steps to address compliance gaps.
Supporting Implementation: Assisting in the development and execution of compliance strategies.

Auditors play a crucial role in helping organizations maintain robust data protection frameworks.

Who conducts GDPR compliance audits?

Qualified Data Protection professionals with legal, technical, and operational expertise, often certified DPOs or ISO 27001 auditors. This naturally includes our UK GDPR consultancy experts here at DPO Consulting.

How much does a UK GDPR compliance audit cost?

GDPR compliance audit costs vary by organisation size, complexity, and scope. To get a customised quote, you can contact our team.

Check out some of our helpful resources to learn more.
Read all articles
Smiling chef in a white shirt and striped apron standing in a modern kitchen with stovetops and cooking utensils.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Explore the art of storytelling in design and its impact on brand communication.
Read More
A young man in a gray shirt working on a laptop at a round wooden table in a plant-filled indoor cafe.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Separating trends from fads – a deep dive into strategies that truly drive results.
Read More
Person using laptop and holding receipts at a wooden table with a payment terminal and sewing machine nearby.

GDPR Trends of 2024: What’s Changing & What You Need to Know

Discover the cutting-edge technologies reshaping the landscape of mobile experiences.
Read More
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000