Skip to contentSkip to navigation

GDPR is here – And your Canadian business is likely impacted

Written by
Diana McLachlan

Diana McLachlan

If you're like me, over the past month or so you've been receiving daily emails from a slew of organizations asking that you 'opt-in' to future digital communications. That's because as of May 25, 2018 – the General Data Protection Regulation (GDPR) is here to stay.

Designed to harmonize data privacy laws across Europe with the aim of protecting European Union (EU) citizens, the GDPR is transforming the way organizations across the pond approach data security and privacy. What many Canadian organizations – especially Canadian publishers, e-commerce businesses and digital marketers – don't yet realize is how much this new EU regulation will impact their own Canadian business.

GDPR and Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), have several similarities, however, it's important to note that they do indeed have their differences and if you're a Canadian organization with digital properties – you may need to rethink your approach to collecting consumer data to comply with both. While some Canadian businesses may take comfort in the fact that much of the new regime will be familiar under our existingprivacy laws, the GDPR contains many new or enhanced requirements.

The GDPR is not bound to a region.

Canadian companies with a website that collects information, whether the user is ordering products or simply accessing information, are impacted. The GDPR applies to any organization, wherever located, that uses and/or stores the personal data of EU citizens, whether they're students, tourists or online customers. This means any digital interaction with someone could have implications. For example, a Canadian business that collects personal information about residents, such as email addresses or phone numbers, even an exchange of cookies, is subject to the GDPR regulations.


No business is exempt – and the cost of violation is steep.

It doesn't matter how big or small your business is, the GDPR will still apply if your digital properties are marketing to EU citizens. The regulation is based solely on data used, and how your company handles that data. The GDPR has global reach, and those who do not adhere to its regulations when dealing with European consumers could face fines of up to €20 million or 4 per cent of a company's annual worldwide revenue, whichever is higher. This means that any Canadian business that violates the GDPR risks fines of $30 million CAD or more. Let that sink in.

A GDPR guide for Canadians

If you're a Canadian marketer and you're concerned you may be in violation, check out the European Commission website, which offers information to help businesses comply with GDPR requirements that you may find helpful. The Canadian Marketing Association (CMA) has also published the Guide on EU GDPR and ePrivacy Regulation to provide support for compliance. See the CMA's guide by clicking here. I

——— Diana McLachlan is a former Vice-President and Chief of Staff at NATIONAL Public Relations