What does Shubhendu Tripathi specialize in?

Shubhendu specializes in AI strategy consulting, ERP modernization (SAP S/4HANA), and digital transformation advisory for mid-market and enterprise organizations.

What industries has Shubhendu worked in?

Shubhendu has extensive experience across FinTech, Media, Automotive, Food, Lumber, and Consulting industries, delivering ERP and digital transformation solutions.

Is Shubhendu available for keynote speaking?

Yes, Shubhendu is available for keynote speaking engagements on topics including AI Strategy, ERP Modernization, Scaling Teams, and Digital Transformation.

Qubittron is an SAP consulting firm co-founded by Shubhendu Tripathi, focused on delivering SAP S/4HANA implementations and enterprise technology solutions.

What are Shubhendu's qualifications?

Shubhendu holds an MBA from the Rotman School of Management, an MIT AI/ML Certificate, MIT Data Analytics certification, and is certified in SAP S/4HANA and Microsoft Azure.

How can I work with Shubhendu?

You can reach Shubhendu via email at tripathis@qubittron.com or connect on LinkedIn. He is available for consulting engagements, advisory roles, and keynote speaking.

Your Quebec Law 25 Exposure Is Hiding in Three ERP Defaults. You Have Not Been Audited Yet.

A CIO of a Canadian industrial company called me last month. A Quebec resident had filed a data portability request for his own employment records under Law 25. The 30-day clock was running. The ERP owner pulled up the employee master and realized two things inside an hour. The record was replicated to a US data center under the default tenant configuration. And the export would not be structured, machine-readable data. It would be a PDF stitched together by a junior admin. That was the easy request. Two weeks later a rectification request arrived, and the AI-assisted credit scoring model had already acted on the uncorrected data for 11 months without a single disclosure to the affected individual.

That company had not been audited. The Commission d'accès à l'information had not knocked. The exposure was generated by three default configurations inside the ERP that everyone had signed off on at implementation, three years before Law 25 changed the rules underneath them. Those defaults are still there in most Canadian enterprises with a Quebec footprint, and in most multinationals that treat Canada as a single market. This is a strategy wake-up call for the CIO, CFO, and CTO who do not yet know they have already lost the argument with their own tenant configuration.

What Actually Changed in Quebec

Law 25 amended Quebec's Private Sector Act in three phases between 2022 and September 22, 2024. The last phase, the right to data portability, came into force on September 22, 2024. Every core obligation applies to any enterprise carrying on business in Quebec, including out-of-province and international businesses holding personal information of Quebec residents.

The penalties are not symbolic. Administrative monetary penalties can reach the greater of $10 million CAD or 2% of worldwide turnover. Penal fines can reach the greater of $25 million CAD or 4% of worldwide turnover for the preceding fiscal year. The CAI has five years to initiate penal proceedings. In late 2024 it published its first substantive decision under the amended regime, a self-initiated investigation into a printing company's biometric practices. The enforcement machine is now turning.

The three defaults below are where the enterprise ERP sits exposed. Each was made at a different time, by a different team, under a different regime. The law stacked them into one exposure surface.

Default One: Your Tenant Region Is Outside Quebec, and You Have No PIA on File

Most cloud ERP tenants default to a US East, US West, or EU region at provisioning. This is true of NetSuite, Oracle Fusion, Microsoft Dynamics 365, SAP S/4HANA Cloud, and every adjacent SaaS in the stack. The default was the vendor's closest region, or an implementation partner chose it for latency, or nobody asked. It was a shrug in 2022. It is a liability in 2026.

Section 17 of the amended Private Sector Act requires a documented privacy impact assessment before personal information is transferred outside Quebec. The PIA must consider the sensitivity of the information, the purposes of the transfer, the protection measures in place, and the legal framework of the destination jurisdiction. The transfer is permissible only if the assessment establishes that the information will receive adequate protection. A written agreement incorporating the PIA findings must bind the recipient to protection standards equivalent to Quebec's. Few enterprises have run this PIA on their ERP tenant. Almost none have run it on the AI inference layer above it.

AI-embedded ERP makes this worse. When Dynamics Copilot, SAP Joule, Oracle Fusion AI, or NetSuite AI processes a Quebec resident's record, the inference itself is a processing activity. It may run in a different region than the primary tenant. Microsoft has publicly announced Canadian in-country Copilot processing on a forward roadmap, not a current capability across the board. Oracle and SAP have Canada regions, but most mid-market tenants were not provisioned into them. The PIA you never did on your ERP now has to cover an AI inference path your vendor cannot describe in a single diagram.

What remediation looks like

Remediation is not "move the tenant." That is a 9 to 18 month project, and for some vendors a complete reimplementation. Realistic remediation is staged. Map every ERP module, AI feature, and peripheral SaaS that touches Quebec-resident personal information. Run a Section 17 PIA for each transfer path with real documentation. Negotiate the written agreement with the vendor that incorporates the PIA findings and binds them to equivalent protection. For the AI inference paths that cannot meet the bar, turn off the feature for Quebec residents until the vendor offers a Canada-resident inference path. The vendor will push back. The law does not care.

The hardest part is not the PIA. It is the moment you realize your ERP vendor cannot tell you with certainty where every inference runs. That moment is when the default becomes a liability.

Default Two: Automated Decisions Running Without Disclosure or a Human Review Channel

Section 12.1 of the amended Private Sector Act requires an organization using personal information to render a decision based exclusively on automated processing to inform the individual no later than at the time of the decision. On request, the organization must provide the personal information used, the reasons and the principal factors and parameters that led to the decision, and notice of the right to correct the data. Crucially, the individual must be given the opportunity to submit observations to a member of the personnel who can review the decision.

Read that twice. Then walk through your ERP and count the automated decisions. Credit hold release thresholds. Dunning escalation. Supplier risk scoring. Dynamic pricing rules. HR candidate screening. Expense auto-approval. Invoice auto-match. Employee performance flagging. Fraud detection thresholds in AP. Every one is a decision. When a human manager actually reviews and approves, that is human involvement. When the system acts and the human sees a report at month-end, that is exclusively automated. Rubber-stamp approvals do not count as meaningful intervention under the way the provision is being interpreted in practice.

Now layer AI on top. Dynamics Copilot writing a credit memo. SAP Joule recommending a payment release. Oracle Fusion AI scoring a supplier. NetSuite AI suggesting a price. If the recommendation is acted on without meaningful human review, you are in Section 12.1 territory. If the individual affected cannot be told it happened, cannot see the personal information used, cannot see the factors, and cannot submit observations to a human reviewer, you are noncompliant. And you have no UI to fix it because the ERP vendor did not ship one.

The vendors are behind. SAP Joule, Oracle Fusion Agentic, Dynamics Copilot, and NetSuite AI all ship audit trails and "traceability." Traceability is not disclosure. Traceability tells your internal auditor what happened. Disclosure tells the affected individual, at the time of the decision, that the decision was automated, what information was used, and how to request human review. None of the major ERP vendors ship a disclosure UI out of the box. That is a product gap, not a configuration gap.

What remediation looks like

Build a Section 12.1 inventory for every automated decision in your ERP. Classify each in writing as exclusively automated or meaningfully human-involved. Where the line is close, move it cleanly by redesigning the workflow. For the ones that stay on the automated side, implement a disclosure UI. In most cases this will be a custom extension on top of the ERP. The disclosure must be delivered at the time of the decision, not in a month-end report. Build the human review channel as a real process with personnel who can actually review. Log the review requests and outcomes. The CAI will ask.

Expect the first complaints in HR workflows and credit decisions. Those are the two places where affected individuals have both motivation and standing.

Default Three: Data Portability, Rectification, and Deletion That Your ERP Cannot Actually Serve

The right to data portability came into force on September 22, 2024. Individuals can request their computerized personal information in a structured and commonly used technological format and have it transmitted to another organization. Private businesses have 30 days to respond. The right to rectification has been in force longer. Quebec's deletion regime is narrower than the EU's, but rectification functions as a partial deletion pathway in practice, and the right to cease dissemination and de-index is real and enforceable.

Most ERPs cannot serve these requests cleanly on a Quebec-resident record. The reasons are structural. Master data for an employee or customer is replicated across finance, HR, procurement, sales, and downstream systems. Foreign key relationships tie personal information into posted financial transactions that cannot be modified without breaking the audit trail. Intercompany links span entities and jurisdictions. Consolidated financial reporting depends on the completeness of the transactional record. The data warehouse has its own copy. Backups have another.

When a portability request arrives, the IT team discovers that "structured and commonly used technological format" is not what the ERP ships. The standard export is a CSV of the employee master. It does not include payroll history, benefits enrollment, performance reviews, or the access log of who viewed the record. A real portability response requires assembling data from 6 to 15 tables across the ERP and connected systems. Most enterprises do not have the tooling. They have 30 days and a junior admin.

When a rectification request hits a record that already fed an AI model, the exposure compounds. The model does not retroactively unlearn. The inferences it generated for the past 11 months were based on data the individual has now corrected. Those inferences drove decisions. Under Section 12.1, the individual has a right to know those decisions happened. Your ERP cannot produce that history without a custom query, and in most cases cannot produce it at all because the AI's inference log lives outside the ERP.

What remediation looks like

The remediation path is the longest and the most architectural. Build a Quebec-resident data map covering every table, every system, every backup, and every derivative dataset. Build a portability export tool that produces a structured, machine-readable format across all of them. Build a rectification workflow that propagates corrections into derivative datasets including the AI training and inference layers. Build a retention schedule that is real, enforced, and audit-ready.

Do not build this once for Quebec and forget about it. Build it as a configurable data-subject-rights service that serves any jurisdiction. You will need it for PIPEDA reform, the EU AI Act, and Colorado's AI Act as they come online. The investment is the same. The difference is whether you amortize it across one regime or ten.

The Stack Trap

Most enterprise leaders treat Quebec Law 25 as a Canadian problem. It is the first enforcement-credible regime in a stack that is getting denser every quarter.

The EU AI Act began full high-risk enforcement in August 2026, treating HR-related AI, credit scoring, and several ERP-adjacent workflows as high-risk, with conformity assessments, technical documentation, and human oversight provisions. Colorado's AI Act, with an effective date delayed to June 30, 2026, imposes impact assessments and consumer notification for consequential decisions about employment, housing, credit, and education. Illinois, California, and Texas have overlapping regimes in flight. Any enterprise with Quebec, European, and US multi-state footprints has three to five regulatory vectors hitting the same automated decision at once.

The stack trap is this. An enterprise that remediates each regime in isolation builds three versions of the same thing, pays three times, and ends up with a compliance surface that cannot be audited consistently. An enterprise that remediates for Quebec Law 25 first, with the right abstractions, builds a data-subject-rights service, a disclosure and human-review service, and a PIA framework that generalizes to the EU and US regimes through configuration rather than new code. The first approach is a compliance cost center. The second is an operating capability.

Most enterprises will build the first one because it matches the org chart. Privacy owns Quebec. Another team owns EU. Another owns US states. The ERP team owns the system. Nobody owns the abstraction.

Here is what I want from you.

If you are inside an enterprise with any Quebec footprint and your ERP roadmap includes AI, scroll to the form at the bottom of this page and submit it. Tell me where your Quebec-resident data lives today, which AI-assisted workflows touch Quebec residents, and what nobody in your organization has given you a straight answer on. I read every note and respond personally. No sales funnel. No automated sequence. Just a conversation about the decision you are actually making.

And if you think I have this wrong, if your legal team has already cleared this or if your ERP vendor has indemnified you in a way I should know about, tell me. The shortest path to a better thesis is someone with direct experience telling me where mine is thin. I update my thinking from the mail.

What to Do Monday

If you are a CIO, CFO, or CTO of an enterprise with Quebec exposure, the week ahead has five concrete actions. None require a consulting engagement to start.

Pull the tenant region for every ERP and ERP-adjacent SaaS that touches Quebec residents. One page. Note which ones have a documented Section 17 PIA on file. The exercise takes two hours and it will be the most uncomfortable two hours of the quarter.
Inventory the automated decisions running in your ERP today. Credit, HR, procurement, pricing, fraud, expense. Classify each as exclusively automated or meaningfully human-involved. Rubber-stamp approvals are not meaningful. The exclusively automated side is the Section 12.1 exposure surface.
Run one live portability request against your own ERP. Pick a test employee record. Ask your team to produce a structured, machine-readable export of all personal information the ERP and downstream systems hold. Time it. If the team cannot deliver inside a week on a test record, they cannot deliver inside 30 days on a real one.
Ask each AI-embedded ERP vendor two questions in writing. Where does AI inference on Quebec-resident data physically occur today? What is the roadmap to a Canada-resident inference path with contractual indemnification? The written answers are the evidence for your Section 17 PIA and your negotiation at contract renewal.
Stand up a cross-functional data subject rights council. Privacy, legal, IT, ERP owners, HR, finance. Weekly for eight weeks. Target a median response time inside 10 days and a ceiling inside 25 days. The goal is a single operating capability for portability, rectification, disclosure, and human review, not compliance theatre.

The Ceiling Question

Quebec Law 25 is the first enforcement-credible privacy regime to land squarely on the ERP and the AI layer above it. It will not be the last. Enterprises that treat it as a compliance exercise will spend the next five years in a loop of remediation projects. Enterprises that treat it as a strategic architectural moment will build a data-subject-rights capability, a disclosure-and-review capability, and a PIA discipline that compounds across every regime that follows.

This is a ceiling question, not a compliance question. The ceiling is the speed at which your enterprise can safely deploy AI inside regulated workflows. Every jurisdiction that adds a regime raises the bar. Every enterprise that built its controls jurisdiction by jurisdiction raises its own cost. The gap compounds.

The first default was set at tenant provisioning. The second was set when the AI feature was switched on. The third was set when the ERP was selected. None were wrong at the time. All are wrong now.

You have not been audited yet. That is the window. Use it.

Shubhendu Tripathi is an AI and ERP strategy consultant based in Toronto, advising organizations on digital transformation, enterprise AI adoption, and technology leadership. Connect on LinkedIn or reach out at tripathis@qubittron.com.