Checklist for wealth managers to meet Canada’s privacy laws

Checklist for wealth managers to meet Canada’s privacy laws

With the introduction of new federal and provincial laws, Canada is entering a new era of privacy protection. Investment firms and financial institutions now have to shift gears, review rapidly, and in many cases, completely overhaul how they collect, store, and use their customers’ data. Here’s a checklist to ensure you’re prepared.

Tech adoption has been growing exponentially over the past decade, enabling companies across industries to capitalize on customer data. Firms use it aggressively to understand consumers’ pain points and unmet needs, develop new products and services, personalize advertising and marketing, and improve consumer engagement.

However, recent history shows that consumer data is subject to hacks and breaches. Identity theft has become all too common. In response, governments have begun to amend legislation to hold companies accountable for keeping this data safe.

“Any companies that collect, use and store personal information must comply with the law. Wealth management firms are no exception. To do so, they will have to provide their staff with the protocols and tools they need to properly manage the life cycle of any personal information they obtain from their clients,” said Luc Larose, Lawyer and Vice-President of Client Experience at Croesus.

New Canadian privacy acts

On September 22, 2021, the Québec government adopted Bill 64. It is now known as Law 25, An Act to modernize legislative provisions as regards the protection of personal information. The provisions of this Law will gradually come into force until September 2024. This reform makes Québec the first Canadian province to modernize its personal information protection policies to meet the current technological reality.

Many businesses may assume that the new legislative provisions do not apply to them. However, the reality is that any company that does business in the province will be subject to the new regulations.

“It’s important to comply with the Law promptly and on time because the organizational changes required will require a significant amount of planning, time, and resources. What’s more, the financial penalties for failing to comply are considerable,” said Larose.

Québec is not the only one tightening the privacy and data protection rules. Canada is quickly following suit with the tabling of Canada’s Consumer Privacy Protection Act. Although Bill C-27 may be significantly amended as it works through the legislative process, it is perfectly aligned with a growing trend towards privacy. The new privacy act of Canada aims to offer more robust protection locally and internationally.

Checklist to meet new Canadian privacy laws

For firms and banks in Canada to effectively navigate the complex new privacy regulations, it’s essential to understand what the new provisions stipulate. These institutions need to understand what they are allowed or not to do. It’s also critical for businesses to be clear on what implications are involved with non-compliance.

“Financial professionals and firms will have to ensure that the collection, use, disclosure, retention, and destruction of personal information are properly supervised,” said Larose.

Below is a checklist of actions you should already have taken to comply with the new provisions.

  • Access to Information and Privacy Committee: Establish data governance processes, including mechanisms to facilitate individuals in exercising their new-found privacy rights.
  • Privacy Officer: Appoint an individual responsible for ensuring adherence to privacy legislation.
  • Breach notification: Mandate the reporting of any unauthorized access to personal information to both the affected person and the Commission d’accès à l’information (CAI) (Access to Information Commission).
  • Enhanced regulation for research or statistical data: Implement a more rigorous framework for the disclosure of personal information for research or statistical purposes.
  • Formulation of corporate data management policies: Develop policies for managing corporate data effectively.
  • Transparency requirements: Publish privacy regulations and policies, and provide relevant information to affected individuals concerning various privacy-related matters.
  • Internal guidelines for implementation: Create internal guidelines to support staff and service providers in the implementation of new privacy policies.
  • De-indexing solutions: Utilize technological solutions to de-index or transfer personal information upon the request of the person concerned.
  • Strengthened consent rules: Implement more stringent rules for obtaining consent.
  • Revised conditions for data collection and disclosure: Introduce new criteria for collecting and disclosing personal information in diverse contexts.

In 2024, the right to data portability will be added to the list.

These rules apply not only to you, but also to your service providers. To avoid finding yourself in a disastrous situation that jeopardizes your business, it’s important to choose your technology suppliers wisely.

Understanding Bill C-27 and its implications

The central theme of Bill C-27 is obtaining consent for collecting, using, and disclosing personal information under Canada’s privacy act. If passed by the House of Commons, it will implement similar regulations and obligations of those applicable in Law 25. Moreover, it would also entail the adoption of two new laws:

  • Establishing an administrative tribunal responsible for cases arising from the new legislative framework for the protection of privacy.
  • Establishing a regulatory approach based on managing risks to govern trade and commerce in AI systems.

However, the use of certain personal information is excluded from these restrictions, including:

  • Transfers to service providers.
  • Use of personal information for internal research, analysis, and development, provided the information is de-identified.
  • Defined business activities if a reasonable person would expect the collection or use for such an activity. The personal information is not collected or used to influence the individual’s behavior or decisions.

Understanding Québec's Law 25 and its implications

Law 25 imposes strict new requirements on the public and private sectors regarding the collection, use, and subsequent of personal information protection and electronic document integrity.

It also places the responsibility for data privacy squarely on the shoulders of company heads. This means it imposes sanctions in the event of serious privacy breaches. Moreover, it introduces the concept of “explicit consent” of individuals with regard to the use of their personal data. This advocates for making personal data anonymous, and gives consumers more control over their own data.

– – –

Some of the primary obligations that came into force on September 22, 2022, include the following:

Increased accountability

The company’s highest authority (typically the CEO) will be the person in charge of the protection of privacy. This means they will need to ensure implementation of the new law. This provision includes the obligation to report incidents or breaches of privacy to the Commission d’accès à l’information (CAI; Access to Information Commission). The CAI is the body responsible for applying the new Law 25 in Québec.


The CAI may impose administrative monetary penalties. These can be as high as $10 million or 2% of the firm’s worldwide annual revenue for non-compliance. At the same time, Law 25 further stipulates that criminal offences are subject to fines of up to $25 million or 4% of worldwide annual revenue.

Increased rights

Law 25 imposes strict guidelines on companies that use customer data. As of 2023, individuals affected by automated decision-making will have the right to request additional information regarding decisions made. They must be able to use this information to object to the automated decision if they so choose.

– – –

Some of the requirements that came into effect on September 22, 2023 include the following:


Anonymization, as defined by Law 25, involves the elimination of direct and indirect identifiers that surpass a significant threshold. “Direct identifiers” means information such as contact details, and “indirect identifiers” means information such as gender, for example.


Companies offering technology products or services with privacy settings (such as smartphones and tablets) will now have to ensure that these settings are defaulted to the highest privacy level, without consumer action required.


Experience it yourself, see the difference