Loading...
Compliance or implementation of a Dynamics 365 platform (CRM, ERP, Customer Service, Sales) according to Quebec Bill 25 requirements: personal information mapping, consent management, regional hosting, logging, access and portability rights, Privacy Impact Assessment (PIA).
Bill 25 (officially *Act to modernize legislative provisions as regards the protection of personal information*) modernizes the Quebec framework for personal information protection. It came into force in stages between 2022 and 2024, aligning Quebec with modern European GDPR standards while retaining local specificities. For any Quebec organization (private or public) processing personal information, the obligations are multiple: appointment of a Privacy Officer (PO), Privacy Impact Assessment (PIA) before any new project, explicit consent, access, rectification, and portability rights, incident notification within deadlines, documented retention policies, and transparency toward data subjects. The financial penalties are substantial, comparable to GDPR.
Dynamics 365 (Sales, Customer Service, Customer Insights, Marketing) is a natural Bill 25 target because it concentrates massive personal information: names, contact details, interaction history, behavioral data, marketing profiles. Many Quebec organizations inherit non-compliant Dynamics configurations: hosting outside Canada, implicit consents, insufficient audit logs, untooled user rights. Microsoft provides the technical infrastructure for compliance (Canadian regions, Microsoft Purview, Compliance Manager) but the legal and organizational compliance remains the client's responsibility. Our Dynamics 365 and Power Platform expertise, framed by the ATLAS methodology, structures this work.
Three typical moments to address Bill 25 in a Dynamics 365 project. First, before a new deployment — this is the ideal situation, controls are integrated from design and the PIA is naturally produced with the project. Second, during a redesign or migration (Dynamics CRM on-premise to Dynamics 365 cloud, for example) — the opportunity is seized to align on Bill 25. Third, as remediation on an existing platform — compliance is achieved without interrupting production, through targeted streams (consents, logs, user rights, retention). All three cases follow the same method but with different operational constraints.
Dynamics CRM on-premise, Dynamics 365 cloud non conforme, ou nouveau déploiement
Dynamics 365 Cloud conforme Loi 25, hébergement Canada Central / East, contrôles privacy by design, EFVP signée
Default choice. Hosting in Canada Central and East, Microsoft sovereign regions, Microsoft Purview for classification and governance, compliant Customer Insights, Customer Voice with granular consents. Main recommendation for Microsoft organizations.
Cases where certain ultra-sensitive data must never transit in clear to Microsoft (e.g., healthcare, regulated public sector). A middleware layer (Azure API Management, custom function) pseudonymizes before insertion into Dynamics, with controlled re-identification on the usage side.
Cases where part of the information must remain on-premise for sectoral regulatory reasons, despite a primary cloud architecture. More complex to maintain, only to consider if the need is clearly justified.
Cases where the organization seeks an alternative to Dynamics, and takes advantage of the Bill 25 work to reassess the platform. Significant effort but relevant if Dynamics does not cover functional needs.
A Bill 25 compliance program on Dynamics 365 is generally structured over **three to nine months** depending on whether starting from a greenfield deployment, a redesign, or a remediation. For a privacy-by-design greenfield deployment, plan **three to five months** with a cell of four people: a senior Dynamics 365 consultant, a Dynamics architect with privacy sensitivity, a partner legal consultant or PO, a project manager. For remediation on an existing platform, plan **six to nine months** because streams are multiple (consents, logs, rights, retention) and must be deployed without production disruption.
Confusing technical compliance (Microsoft configuration) and legal compliance (PIA, PO, processes). Bill 25 requires both, and Microsoft cloud alone does not make compliance.
Dual piloting: a technical stream with Dynamics architect and Microsoft Purview, a legal stream with the organization's PO and a legal consultant. Both streams converge on the signed PIA, which covers both technical controls and organizational processes. See the ATLAS methodology.
Underestimating consent management. On Dynamics, consents are often implicit or untracked, which does not stand against Bill 25. Reworking consents after the fact may require re-soliciting each contact.
Dedicated consent audit: extraction of contact databases, qualification of current legal bases (consent, legitimate interest, contractual performance), design of an explicit and granular consent procedure for existing and future contacts. Customer Voice and Power Pages portals tool the collection. Re-solicitation of existing contacts is planned via targeted campaigns.
Neglecting access logging on personal information. Bill 25 requires the ability to trace who has seen, modified, or exported what, and for how long. Default Dynamics settings are insufficient.
Explicit activation and configuration of Audit Log Search in Microsoft Purview, with retention adapted to requirements (typically one to three years). Excel exports and critical reports are also logged (Power BI Audit Logs, Customer Insights). A monthly review procedure of abnormal accesses is set up with the PO.
Forgetting portability and deletion. Users have the right to access their data, export it, and obtain its erasure. On Dynamics, these operations are neither tooled nor documented by default.
Design of dedicated operational procedures: extraction of a contact's data in readable format (PDF, JSON), portability export, compliant deletion with derived data management (Power BI, Customer Insights, Customer Service tickets, backups). Legal deadlines (typically thirty days) are monitored via dedicated tickets and Power Automate alerts.
Considering compliance as a one-shot project. Bill 25 imposes continuous governance: new projects, new flows, new vendors trigger a PIA update.
Sustained governance: living PIA, updated at each major change, mandatory annual review with the PO. Formal procedure for any new project involving personal information (simplified PIA template for minor evolutions). The PO has a dedicated Power BI compliance dashboard.
Public organization subject to Bill 25. Audit of existing Dynamics 365 configuration, mapping of personal data, remediation plan, and compliance support with audit deliverables.
Correctional services management platform built on Dynamics 365, Power Apps, and Dataverse. Tracking of incarcerated and probation persons, modernization of administrative processes, compliance with sensitive data protection requirements.
Quebec's Bill 25 modernizes obligations regarding personal information protection for Quebec organizations. It came into force in stages between 2022 and 2024 and requires the appointment of a Privacy Officer, a Privacy Impact Assessment before any new project, explicit consents, access, rectification, and portability rights, incident notification, retention policies, and transparency. Dynamics 365, like any CRM, concentrates massive personal information and falls directly within the Bill 25 scope: names, contact details, interaction history, marketing profiles, behavioral data.
It depends on the starting point. For a privacy-by-design greenfield deployment, plan three to five months with a cell of four people (Dynamics 365 consultant, privacy architect, legal consultant or PO, project manager). For remediation on an existing Dynamics platform, plan six to nine months because streams are multiple (consents, logs, user rights, retention) and must be deployed progressively without production disruption.
Both, in a structured pair. The Privacy Officer (PO) leads legal compliance, validates the PIA, and arbitrates sensitive choices (consents, transfers outside Quebec, retention durations). IT leads technical implementation on Dynamics and Microsoft Purview. Our co-delivery cell serves as the junction point between the two: we formalize legal requirements into technical specifications, and we translate technical constraints into clauses readable for the PO. Without this pair, the project drifts either toward legal without operational reach or toward technical without compliant validation.
No, but it is a prerequisite. Microsoft offers Canada Central (Toronto) and Canada East (Quebec) regions that satisfy the regional hosting requirement. However, Bill 25 is not just about hosting: it also requires explicit consents, tooled user rights, logging, documented retention, incident notification, signed PIA. Hosting is a necessary but not sufficient condition. The work on Dynamics, Microsoft Purview, operational processes, and documentation remains to be done.
Three options depending on the situation. If current legal bases (legitimate interest, contractual performance) cover the use, they can be kept and documented without re-soliciting contacts. If explicit consent is required, a re-solicitation campaign is launched on active contacts (typically by email with a link to a Power Pages consent management portal). Contacts who do not respond after several reminders are switched to no-consent status: data is retained to comply with legal obligations but without active marketing use. The entire procedure is tracked and validated by the PO.
Several tools converge. Microsoft Purview for data classification, governance, and personal information mapping. Compliance Manager for control monitoring and report production. Audit Log Search for access and modification logging. Customer Voice for explicit consent collection with traceability. Customer Insights configured in line with Bill 25 limits. Power Pages for user portals (consent management, access rights, deletion requests). Power Automate to orchestrate incident notification and request response workflows. This tooling must be explicitly configured, it is not compliant by default.
We frame the trajectory, the budget, and the deliverables in a first thirty-minute conversation. A short POC can be proposed before committing to the full program.
Start this path →