Skip to main content
Chapter
Licensed
Unlicensed Requires Authentication

38 Quebec Law 25: Canada’s sharpest privacy reform yet

Become an author with De Gruyter Brill
Explore this Subject How to publish with us
Unified Compliance
This chapter is in the book Unified Compliance
© 2026 Walter de Gruyter GmbH, Berlin/Boston

© 2026 Walter de Gruyter GmbH, Berlin/Boston

Chapters in this book

  1. Frontmatter I
  2. Preface V
  3. Contents VII
  4. Part I HIPAA, HITECH, and HITRUST
  5. 1 HIPAA foundations: What it is and what it isn’t 3
  6. 2 The HIPAA security rule: Safeguards and framework mapping 18
  7. 3 The HITECH act: Enforcement, breach response, and access rights 26
  8. 4 Breach notification and incident response 36
  9. 5 Administrative and physical safeguards 47
  10. 6 HITRUST – From compliance to assurance at scale 62
  11. 7 Bringing it all together: Operationalizing HIPAA compliance 76
  12. Part II NIST cybersecurity and privacy
  13. 8 The NIST landscape: Foundations of cybersecurity and privacy 85
  14. 9 The NIST cybersecurity framework: From strategy to practice 92
  15. 10 NIST SP 800-53: Control families in focus 101
  16. 11 NIST SP 800-171: Protecting CUI in non-federal systems 109
  17. 12 Implementing NIST in practice: Use cases across sectors 119
  18. 13 NIST maturity models and self-assessments 124
  19. Part III ISO/IEC 27001
  20. 14 ISO/IEC 27001: Layered security architecture and control mapping 133
  21. 15 Designing secure architecture with compliance in mind 147
  22. 16 Identity, access, and authentication models 171
  23. 17 Logging, monitoring, and system integrity 184
  24. 18 Compliance-ready incident response 196
  25. 19 System hardening and secure configuration management 206
  26. 20 Putting it all together: ISO/IEC 27001 in action 215
  27. Part IV PCI DSS and payment security
  28. 21 PCI DSS 4.0: Foundations of payment security 229
  29. 22 Deep dive: PCI requirements 1–6 236
  30. 23 Deep dive: PCI requirements 7–12 249
  31. 24 PCI reporting, SAQs, and certification pathways 262
  32. 25 Part IV recap: PCI DSS in practice 272
  33. Part V GDPR and global privacy laws
  34. 26 GDPR foundations: Scope, principles, and applicability 277
  35. 27 Lawful basis and consent management 292
  36. 28 Rights of the data subject 306
  37. 29 Security of processing (Article 32) 314
  38. 30 Breach notification under GDPR (Articles 33–34) 320
  39. 31 International data transfers and schrems II 330
  40. 32 Operationalizing GDPR: DPIAs, DPOs, and records of processing 338
  41. 33 GDPR enforcement and risk-based accountability 346
  42. Part VI Global privacy atlas
  43. 34 California CPRA: US state-level privacy done big 357
  44. 35 Brazil LGPD: Latin America’s GDPR-inspired framework 366
  45. 36 India’s DPDP act: Data empowerment in the world’s largest democracy 378
  46. 37 China’s PIPL: Privacy with Chinese characteristics 392
  47. 38 Quebec Law 25: Canada’s sharpest privacy reform yet 410
  48. 39 UK GDPR: Post-Brexit privacy and the “British way” 426
  49. 40 HIPAA and the new security rule 440
  50. Part VII Mapping and crosswalks
  51. 41 Unified compliance architecture: A cross-framework blueprint 465
  52. 42 Unified incident response and breach handling 474
  53. 43 The unified risk register: A strategic approach to multi-framework compliance 483
  54. 44 Harmonized policy sets and centralized documentation 490
  55. 45 Compliance evidence strategy and control libraries 497
  56. 46 Cross-framework audit prep and storytelling 506
  57. 47 Harmonized training, awareness, and culture 512
  58. 48 Multi-framework tabletop exercises and red team simulations 520
  59. 49 The future of compliance 527
  60. Part VIII Privacy engineering and control automation
  61. 50 Architecting for compliance: Embedding privacy in systems design 533
  62. 51 Policy-as-code and compliance automation pipelines 543
  63. 52 GRC-as-code, operationalizing compliance in real time 554
  64. 53 Control libraries, compliance SDKs, and reusable governance patterns 573
  65. 54 Simulation playbooks: Stress-testing your compliance in the real world 588
  66. 55 Global data protection frameworks: GDPR, ISO 27001, and beyond 599
  67. 56 Operationalizing NIST – Controls, profiles, and use cases 616
  68. Part IX AI and global compliance
  69. 57 Privacy blueprints for AI and machine learning systems 637
  70. 58 AI governance, privacy, and risk – Frameworks for responsible deployment 663
  71. 59 The compliance singularity, AI, trust, and the end of policies 683
  72. 60 Global AI governance models 691
  73. Part X Templates, labs, and appendices
  74. A Templates and forms: Compliance in action 701
  75. B Multi-framework audit checklists 705
  76. C Simulation playbooks and tabletop exercises 707
  77. D Compliance evidence index 711
  78. E Glossary of terms and acronyms 713
  79. F Control crosswalk appendix 718
  80. G Resources and further reading 719
  81. Index 721
https://doi.org/10.1515/9783112226162-044

Chapters in this book

  1. Frontmatter I
  2. Preface V
  3. Contents VII
  4. Part I HIPAA, HITECH, and HITRUST
  5. 1 HIPAA foundations: What it is and what it isn’t 3
  6. 2 The HIPAA security rule: Safeguards and framework mapping 18
  7. 3 The HITECH act: Enforcement, breach response, and access rights 26
  8. 4 Breach notification and incident response 36
  9. 5 Administrative and physical safeguards 47
  10. 6 HITRUST – From compliance to assurance at scale 62
  11. 7 Bringing it all together: Operationalizing HIPAA compliance 76
  12. Part II NIST cybersecurity and privacy
  13. 8 The NIST landscape: Foundations of cybersecurity and privacy 85
  14. 9 The NIST cybersecurity framework: From strategy to practice 92
  15. 10 NIST SP 800-53: Control families in focus 101
  16. 11 NIST SP 800-171: Protecting CUI in non-federal systems 109
  17. 12 Implementing NIST in practice: Use cases across sectors 119
  18. 13 NIST maturity models and self-assessments 124
  19. Part III ISO/IEC 27001
  20. 14 ISO/IEC 27001: Layered security architecture and control mapping 133
  21. 15 Designing secure architecture with compliance in mind 147
  22. 16 Identity, access, and authentication models 171
  23. 17 Logging, monitoring, and system integrity 184
  24. 18 Compliance-ready incident response 196
  25. 19 System hardening and secure configuration management 206
  26. 20 Putting it all together: ISO/IEC 27001 in action 215
  27. Part IV PCI DSS and payment security
  28. 21 PCI DSS 4.0: Foundations of payment security 229
  29. 22 Deep dive: PCI requirements 1–6 236
  30. 23 Deep dive: PCI requirements 7–12 249
  31. 24 PCI reporting, SAQs, and certification pathways 262
  32. 25 Part IV recap: PCI DSS in practice 272
  33. Part V GDPR and global privacy laws
  34. 26 GDPR foundations: Scope, principles, and applicability 277
  35. 27 Lawful basis and consent management 292
  36. 28 Rights of the data subject 306
  37. 29 Security of processing (Article 32) 314
  38. 30 Breach notification under GDPR (Articles 33–34) 320
  39. 31 International data transfers and schrems II 330
  40. 32 Operationalizing GDPR: DPIAs, DPOs, and records of processing 338
  41. 33 GDPR enforcement and risk-based accountability 346
  42. Part VI Global privacy atlas
  43. 34 California CPRA: US state-level privacy done big 357
  44. 35 Brazil LGPD: Latin America’s GDPR-inspired framework 366
  45. 36 India’s DPDP act: Data empowerment in the world’s largest democracy 378
  46. 37 China’s PIPL: Privacy with Chinese characteristics 392
  47. 38 Quebec Law 25: Canada’s sharpest privacy reform yet 410
  48. 39 UK GDPR: Post-Brexit privacy and the “British way” 426
  49. 40 HIPAA and the new security rule 440
  50. Part VII Mapping and crosswalks
  51. 41 Unified compliance architecture: A cross-framework blueprint 465
  52. 42 Unified incident response and breach handling 474
  53. 43 The unified risk register: A strategic approach to multi-framework compliance 483
  54. 44 Harmonized policy sets and centralized documentation 490
  55. 45 Compliance evidence strategy and control libraries 497
  56. 46 Cross-framework audit prep and storytelling 506
  57. 47 Harmonized training, awareness, and culture 512
  58. 48 Multi-framework tabletop exercises and red team simulations 520
  59. 49 The future of compliance 527
  60. Part VIII Privacy engineering and control automation
  61. 50 Architecting for compliance: Embedding privacy in systems design 533
  62. 51 Policy-as-code and compliance automation pipelines 543
  63. 52 GRC-as-code, operationalizing compliance in real time 554
  64. 53 Control libraries, compliance SDKs, and reusable governance patterns 573
  65. 54 Simulation playbooks: Stress-testing your compliance in the real world 588
  66. 55 Global data protection frameworks: GDPR, ISO 27001, and beyond 599
  67. 56 Operationalizing NIST – Controls, profiles, and use cases 616
  68. Part IX AI and global compliance
  69. 57 Privacy blueprints for AI and machine learning systems 637
  70. 58 AI governance, privacy, and risk – Frameworks for responsible deployment 663
  71. 59 The compliance singularity, AI, trust, and the end of policies 683
  72. 60 Global AI governance models 691
  73. Part X Templates, labs, and appendices
  74. A Templates and forms: Compliance in action 701
  75. B Multi-framework audit checklists 705
  76. C Simulation playbooks and tabletop exercises 707
  77. D Compliance evidence index 711
  78. E Glossary of terms and acronyms 713
  79. F Control crosswalk appendix 718
  80. G Resources and further reading 719
  81. Index 721
Downloaded on 6.5.2026 from https://www.degruyterbrill.com/document/doi/10.1515/9783112226162-044/html?lang=en
Scroll to top button