Is Excel really enough for Law 25?
Since September 2023, the CAI can impose fines up to $25M without going through the courts. Most SMBs still document their compliance with Excel and Word. Here's why that approach puts you at risk — article by article.
Deadline passed: penalties have been enforceable since September 22, 2023.
60+
law articles covered (Law 25 + GDPR)
18
integrated compliance modules
93
documentable ISO 27002 controls
30 min
for initial setup
Obligation by obligation
Each article of Law 25 imposes specific requirements. Here's what that looks like in practice with a homemade solution vs Conformaze.
Record of Processing Activities (ROPA)
Manual Excel spreadsheet with no links between activities, assets, and actors. No versioning or audit trail.
Structured registry with automatic links between activities, assets, actors, and purposes. Versioning, immutable audit trail, and drift detection.
Risk: The CAI requires a registry maintained with a history of changes. An Excel file cannot prove when and by whom data was modified.
Privacy Impact Assessment (PIA / EFVP)
20+ page Word document copy-pasted from a template. No link to the ROPA registry. No way to prove the state of data at the time of assessment.
Structured PIA with auto-fill from ROPA, immutable data snapshots, 8 CAI principles scoring, and integrated remediation plans.
Risk: The PIA must accurately reflect actual processing. A Word document detached from the registry may contain outdated information without anyone knowing.
Confidentiality Incident Registry
Email notifications, Excel tracking file, or tickets in a ticketing tool. No risk-of-harm calculation or CAI notification tracking.
Full workflow with risk matrix, serious harm assessment, CAI notification tracking, and minor incident registry (required by Law 25).
Risk: Law 25 requires a registry of ALL incidents, even minor ones, kept for at least 5 years. A closed ticket in a ticketing tool is not a compliant registry.
Consent and Collection Notices
PDF privacy policy on the website. No link between consent points and actual processing. No consent proof.
Consent point registry linked to ROPA purposes, cookie inventory, consent proof capture and archiving.
Risk: The CAI can ask you to prove consent was obtained for a specific processing activity. Without traceability, it's your word against the complainant's.
Automated Decision Systems (ADS)
No documentation. Most SMBs don't even know they use automated decisions (HR filters, customer scoring, etc.).
Dedicated AI/ADS registry with algorithm logic documentation, human oversight levels, and right of intervention tracking.
Risk: Since September 2023, any decision based exclusively on automated processing must be disclosed. The absence of a registry is a direct violation.
Cross-border Data Transfers
A "Yes/No" checkbox in the ROPA spreadsheet, with no risk assessment or documentation of the destination country's legal framework.
Integrated risk assessment per transfer, legal framework documentation, PIA linkage, and full traceability.
Risk: Art. 17 requires an assessment BEFORE the transfer. A simple checkbox in Excel is not an assessment under the law.
Data Subject Access Requests (DSAR)
Requests via email or Microsoft Forms, tracked in a ticket management tool. No 30-day SLA calculator, no pause/extension mechanism, no documented identity verification.
Dedicated submission portal, 30-day SLA counter with pause/resume and one-time extension, traceable identity verification, automatic linkage to ROPA activities.
Risk: The 30-day deadline starts upon receipt. Without an automatic counter, an unintentional overrun is a violation. Ticketing tools don't handle Law 25 specifics (pause, extension).
What it really costs
Excel's "free" has a hidden price. Here's a realistic estimate for a 50-employee SMB.
| Cost item | Homemade | Conformaze |
|---|---|---|
| Initial setup (Excel templates, Word procedures, forms, policy) | 80–120 hours (internal or consultant at $150/h) | Included — ready in 30 minutes |
| Annual maintenance (updates, training, version tracking) | 40–80 hours/year | Included in subscription |
| Consultant support (audit, annual review) | $5,000 – $15,000/year | Reduced 60–80% through automation |
| Preparing for a CAI audit | 40–80 hours of ad-hoc evidence gathering | Full export in a few clicks |
| Cost of non-compliance (CAI fine) | Up to $25M or 4% of global revenue | — |
| Estimated annual total cost | $18,000 – $35,000+ (internal hours + consultant) | Starting at $1,068/year ($89/month) |
* Estimates based on a 50-employee SMB, services sector. Internal hourly rate estimated at $45/h, external consultant at $150/h.
The risks you don't see
A homemade solution creates blind spots that stay invisible until an audit or incident.
Scattered documents
ROPA registry in one SharePoint folder, PIA in another, incidents in a ticketing tool, consent nowhere. During a CAI audit, gathering evidence takes weeks.
No audit trail
Excel doesn't log who changed what and when. Before the CAI, you can't prove when your registry was last updated.
No drift detection
A processor changes its terms, an asset is decommissioned — your spreadsheet stays frozen. Nobody sees your registry is outdated.
Invisible deadline overruns
Without an automatic counter, a 30-day access request easily slips. Every late day is a potential violation.
Version errors
Which file is the right one? "ROPA_v3_final_FINAL_corrected.xlsx" — version errors are the norm, not the exception.
Unable to prove compliance
The CAI doesn't ask if you're compliant — it asks you to prove it. Scattered files are not structured evidence.
Scenario: an access request comes in
50-employee SMB, professional services sector. A client requests access to all their personal information.
With Excel + ticketing tool
- 1
The email arrives in the general inbox. Nobody knows exactly who should handle it.
- 2
Someone creates a ticket in the ticketing tool. The 30-day counter is not activated.
- 3
The officer searches through 4 different Excel files to identify which activities involve this client.
- 4
They draft the response in Word, send it by email. No proof of sending or follow-up.
- 5
Day 35: the person follows up. The deadline has passed. Nobody noticed.
With Conformaze
- 1
The request arrives via the dedicated portal. The 30-day SLA counter starts automatically.
- 2
The system automatically identifies the relevant ROPA activities and the designated officer.
- 3
Identity verification is documented. The file is complete and traceable.
- 4
The response is sent from the platform with timestamped proof.
- 5
Day 25: automatic alert. The case is closed on time with a complete audit trail.
Frequently asked questions
Answers to the questions most Quebec SMBs have about Law 25.
Does Law 25 apply to my SMB?
Yes. Law 25 applies to any business in Quebec that collects, uses or shares personal information — regardless of size. The only exceptions are strictly personal use. If you have clients, employees or suppliers, you are covered.
What fines can I face for non-compliance?
Administrative fines can reach $10M or 2% of global revenue. Criminal fines go up to $25M or 4% of global revenue. Executives can also be held personally liable. Since September 2023, the CAI can impose penalties without going through the courts.
How long does it take to become compliant?
With an Excel/Word approach, expect 3 to 6 months of part-time work for a 50-employee SMB. With Conformaze, the basic framework is in place within days and full documented compliance is achievable in 4 to 8 weeks.
Do I need a Chief Privacy Officer (CPO)?
Yes, Law 25 requires every organization to designate a person responsible for personal information protection. By default, this is the person with the highest authority (CEO, GM). You can delegate this role in writing to an employee or external consultant — Conformaze helps you document this delegation.
Isn't Excel enough to document our compliance?
Excel can serve as a starting point, but it doesn't provide an immutable audit trail, automatic versioning, links between your activities and assessments, or legal deadline counters. During a regulator inspection, these gaps become real risks.
What is a PIA and when do I need one?
A Privacy Impact Assessment (PIA / EFVP) is required before any project involving personal information — new system, new vendor, new processing activity. The regulator requires a documented risk assessment and mitigation measures.
Does Conformaze also cover GDPR?
Yes. Conformaze is designed for both Law 25 and GDPR. The modules are aligned with both frameworks — ROPA registry (Art. 30 GDPR), DPIA (Art. 35 GDPR), DSAR (Art. 15-22 GDPR), international transfers (Art. 44-49 GDPR) and security measures (ISO 27002).
What happens in case of a privacy incident?
Law 25 requires recording EVERY privacy incident (even minor ones) in a registry kept for 5 years. If there is a risk of serious harm, you must notify the CAI and the affected individuals. Conformaze structures this process with a risk matrix and notification tracking.
What's the difference between a consultant and Conformaze?
A consultant brings expertise and strategic advice. Conformaze provides the tools to execute and prove compliance on a daily basis. Both are complementary — in fact, Conformaze reduces the time your consultant spends on documentation tasks by 60 to 80%.
What does non-compliance cost beyond fines?
Beyond fines, consequences include: reputation damage, lost contracts (more and more clients require compliance), crisis management costs in case of an incident, and personal liability for executives. The real cost far exceeds the fine amount.