Insight · Compliance
PIPEDA, Law 25 and Microsoft 365: the controls that matter.
Canadian privacy law does not name Microsoft 365 anywhere, yet for most organizations the tenant is where the obligations are won or lost. PIPEDA expects safeguards proportional to data sensitivity. Quebec Law 25 goes further: privacy by default, documented retention, breach registers, and real penalties. Both translate into concrete tenant configuration.
The controls that matter most in practice: knowing where personal information lives (classification), limiting who can reach it (access review and sharing defaults), protecting it in motion (DLP), keeping it only as long as needed (retention and disposition), and proving all of the above (audit and activity reporting). Each maps to a specific Microsoft 365 capability that most licenses already include but few tenants have configured.
Law 25 deserves particular attention from any organization with Quebec customers or employees, not only Quebec-based companies. Its consent, de-indexing and incident requirements assume you can locate and act on an individual’s data on demand. Without classification and retention in place, every such request becomes a manual search project.
The encouraging part: this is configuration work, not a software purchase. Most regulated organizations we review already own the necessary capabilities in their existing licensing. The gap is deployment and evidence, and that gap is closable in weeks, not years. See how your posture holds up below.