Loading...
Compliance or implementation of a Dynamics 365 platform (CRM, ERP, Customer Service, Sales) according to Quebec Bill 25 requirements: personal information mapping, consent management, regional hosting, logging, access and portability rights, Privacy Impact Assessment (PIA).
Bill 25 (officially *Act to modernize legislative provisions as regards the protection of personal information*) modernizes the Quebec framework for personal information protection. It came into force in stages between 2022 and 2024, aligning Quebec with modern European GDPR standards while retaining local specificities. For any Quebec organization (private or public) processing personal information, the obligations are multiple: appointment of a Privacy Officer (PO), Privacy Impact Assessment (PIA) before any new project, explicit consent, access, rectification, and portability rights, incident notification within deadlines, documented retention policies, and transparency toward data subjects. The financial penalties are substantial, comparable to GDPR.
Dynamics 365 (Sales, Customer Service, Customer Insights, Marketing) is a natural Bill 25 target because it concentrates massive personal information: names, contact details, interaction history, behavioral data, marketing profiles. Many Quebec organizations inherit non-compliant Dynamics configurations: hosting outside Canada, implicit consents, insufficient audit logs, untooled user rights. Microsoft provides the technical infrastructure for compliance (Canadian regions, Microsoft Purview, Compliance Manager) but the legal and organizational compliance remains the client's responsibility. Our Dynamics 365 and Power Platform expertise, framed by the ATLAS methodology, structures this work.
Three typical moments to address Bill 25 in a Dynamics 365 project. First, before a new deployment — this is the ideal situation, controls are integrated from design and the PIA is naturally produced with the project. Second, during a redesign or migration (Dynamics CRM on-premise to Dynamics 365 cloud, for example) — the opportunity is seized to align on Bill 25. Third, as remediation on an existing platform — compliance is achieved without interrupting production, through targeted streams (consents, logs, user rights, retention). All three cases follow the same method but with different operational constraints.
On-premise Dynamics CRM, non-compliant Dynamics 365 cloud, or new deployment
Bill 25-compliant Dynamics 365 Cloud, Canada Central / East hosting, privacy-by-design controls, signed PIA
Default choice. Hosting in Canada Central and East, Microsoft sovereign regions, Microsoft Purview for classification and governance, compliant Customer Insights, Customer Voice with granular consents. Main recommendation for Microsoft organizations.
Cases where certain ultra-sensitive data must never transit in clear to Microsoft (e.g., healthcare, regulated public sector). A middleware layer (Azure API Management, custom function) pseudonymizes before insertion into Dynamics, with controlled re-identification on the usage side.
Cases where part of the information must remain on-premise for sectoral regulatory reasons, despite a primary cloud architecture. More complex to maintain, only to consider if the need is clearly justified.
Cases where the organization seeks an alternative to Dynamics, and takes advantage of the Bill 25 work to reassess the platform. Significant effort but relevant if Dynamics does not cover functional needs.
A Bill 25 compliance program on Dynamics 365 is generally structured over three to nine months depending on whether starting from a greenfield deployment, a redesign, or a remediation. For a privacy-by-design greenfield deployment, plan three to five months with a cell of four people: a senior Dynamics 365 consultant, a Dynamics architect with privacy sensitivity, a partner legal consultant or PO, a project manager. For remediation on an existing platform, plan six to nine months because streams are multiple (consents, logs, rights, retention) and must be deployed without production disruption.
Confusing technical compliance (Microsoft configuration) and legal compliance (PIA, PO, processes). Bill 25 requires both, and Microsoft cloud alone does not make compliance.
Dual piloting: a technical stream with Dynamics architect and Microsoft Purview, a legal stream with the organization's PO and a legal consultant. Both streams converge on the signed PIA, which covers both technical controls and organizational processes. See the ATLAS methodology.
Underestimating consent management. On Dynamics, consents are often implicit or untracked, which does not stand against Bill 25. Reworking consents after the fact may require re-soliciting each contact.
Dedicated consent audit: extraction of contact databases, qualification of current legal bases (consent, legitimate interest, contractual performance), design of an explicit and granular consent procedure for existing and future contacts. Customer Voice and Power Pages portals tool the collection. Re-solicitation of existing contacts is planned via targeted campaigns.
Neglecting access logging on personal information. Bill 25 requires the ability to trace who has seen, modified, or exported what, and for how long. Default Dynamics settings are insufficient.
Explicit activation and configuration of Audit Log Search in Microsoft Purview, with retention adapted to requirements (typically one to three years). Excel exports and critical reports are also logged (Power BI Audit Logs, Customer Insights). A monthly review procedure of abnormal accesses is set up with the PO.
Forgetting portability and deletion. Users have the right to access their data, export it, and obtain its erasure. On Dynamics, these operations are neither tooled nor documented by default.
Design of dedicated operational procedures: extraction of a contact's data in readable format (PDF, JSON), portability export, compliant deletion with derived data management (Power BI, Customer Insights, Customer Service tickets, backups). Legal deadlines (typically thirty days) are monitored via dedicated tickets and Power Automate alerts.
Considering compliance as a one-shot project. Bill 25 imposes continuous governance: new projects, new flows, new vendors trigger a PIA update.
Sustained governance: living PIA, updated at each major change, mandatory annual review with the PO. Formal procedure for any new project involving personal information (simplified PIA template for minor evolutions). The PO has a dedicated Power BI compliance dashboard.
Correctional services management platform built on Dynamics 365, Power Apps, and Dataverse. Tracking of incarcerated and probation persons, modernization of administrative processes, compliance with sensitive data protection requirements.
Quebec's Bill 25 modernizes obligations regarding personal information protection for Quebec organizations. It came into force in stages between 2022 and 2024 and requires the appointment of a Privacy Officer, a Privacy Impact Assessment before any new project, explicit consents, access, rectification, and portability rights, incident notification, retention policies, and transparency. Dynamics 365, like any CRM, concentrates massive personal information and falls directly within the Bill 25 scope: names, contact details, interaction history, marketing profiles, behavioral data.
It depends on the starting point. For a privacy-by-design greenfield deployment, plan three to five months with a cell of four people (Dynamics 365 consultant, privacy architect, legal consultant or PO, project manager). For remediation on an existing Dynamics platform, plan six to nine months because streams are multiple (consents, logs, user rights, retention) and must be deployed progressively without production disruption. For public-sector organizations deploying Dynamics CRM, the public-sector CRM path covers the full program (administrative workflows, citizen portal, Power BI reporting) with Bill 25 or GDPR compliance built in.
Both, in a structured pair. The Privacy Officer (PO) leads legal compliance, validates the PIA, and arbitrates sensitive choices (consents, transfers outside Quebec, retention durations). IT leads technical implementation on Dynamics and Microsoft Purview. Our co-delivery cell serves as the junction point between the two: we formalize legal requirements into technical specifications, and we translate technical constraints into clauses readable for the PO. Without this pair, the project drifts either toward legal without operational reach or toward technical without compliant validation.
No, but it is a prerequisite. Microsoft offers Canada Central (Toronto) and Canada East (Quebec) regions that satisfy the regional hosting requirement. However, Bill 25 is not just about hosting: it also requires explicit consents, tooled user rights, logging, documented retention, incident notification, signed PIA. Hosting is a necessary but not sufficient condition. The work on Dynamics, Microsoft Purview, operational processes, and documentation remains to be done.
Three options depending on the situation. If current legal bases (legitimate interest, contractual performance) cover the use, they can be kept and documented without re-soliciting contacts. If explicit consent is required, a re-solicitation campaign is launched on active contacts (typically by email with a link to a Power Pages consent management portal). Contacts who do not respond after several reminders are switched to no-consent status: data is retained to comply with legal obligations but without active marketing use. The entire procedure is tracked and validated by the PO.
Several tools converge. Microsoft Purview for data classification, governance, and personal information mapping. Compliance Manager for control monitoring and report production. Audit Log Search for access and modification logging. Customer Voice for explicit consent collection with traceability. Customer Insights configured in line with Bill 25 limits. Power Pages for user portals (consent management, access rights, deletion requests). Power Automate to orchestrate incident notification and request response workflows. This tooling must be explicitly configured, it is not compliant by default.
Dynamics AX 2009 and AX 2012 are out of mainstream Microsoft support. AX 2012 R3 left mainstream support in October 2018 and extended support in January 2023 — running it now means no security updates from Microsoft and increasing audit and compliance risk. The successor is Dynamics 365 Finance & Operations (cloud-first, formerly Dynamics 365 for Finance and Operations), which Microsoft actively invests in with quarterly releases, embedded Copilot, and modern integrations. For organizations still on AX 2012, migration is no longer optional in regulated industries. The path runs 12 to 24 months for a complex multi-country instance, with an initial 2-6 week POC to measure productivity. The ATLAS methodology is applied to Dynamics migrations with a internal classified discrepancy registry. See the Dynamics 365 + Quebec Law 25 journey.
We frame the trajectory, the budget, and the deliverables in a first thirty-minute conversation. A short POC can be proposed before committing to the full program.
Start this path →