Business man using mouse with padlock icon and internet technology network on a blue background.

The General Data Protection Regulation (GDPR) provides an opportunity for companies to position themselves as proactive data privacy leaders, say experts. (Pop Tika/Shutterstock)

World | News

The GDPR is here and companies are rushing to comply with the EU’s new global standard for data privacy

Step one for Canadian companies is determining what data they have and how it flows through their business

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

A new global standard for data privacy and transparency effectively came into force on May 25, 2018, with the European Union’s General Data Protection Regulation (GDPR). And even though the EU announced the changes in 2016, giving everybody a two-year window to get their ducks in a row, many companies were still clearly scrambling to do so in the final hours.

Canadian companies with any business connection to the EU, physical or otherwise now need to comply with the GDPR. As a result, professional service firms have seen a surge in calls from concerned clients inquiring about how best to proceed.

“Once May 25 hit, a number of our Canadian companies impacted by the GDPR received requests from individuals asking to access or delete their personal information,” says Jordan Prokopy, director of Cybersecurity & Privacy at PwC Canada, noting that the request to delete or transport personal data is one new element of the GDPR.

“One of the biggest impact areas we’re seeing is with our tech companies. Even prior to the deadline they were getting a number of questions from their clients in Europe asking, ‘What are you doing about the GDPR? And if you’re not able to give us comfort around your GDPR compliance, then we’re going to go with a different vendor.’”

Prokopy says each company’s compliance priorities will be unique. For instance, a B2B (business-to-business) company will have different concerns than a B2C (business-to-customer) company. But in general terms, step one should be performing an exercise to determine what personal data you have, where it’s located and how it’s flowing in and out of your organization and across international borders.

“For one, this helps you scope out the impact of GDPR on your company,” Prokopy says. “But it also helps you meet your Article 30 requirement for registering processing activities.”

While much of this news may sound stressful, experts suggest the GDPR also provides an opportunity for companies to position themselves as proactive data privacy leaders.

“Privacy is good for business,” says Dr. Ann Cavoukian, who served three terms as Ontario’s Information and Privacy Commissioner. “Treat it as a business issue not just one of regulatory compliance. It gives you a competitive advantage because it ensures the loyalty of customers you have—it attracts new opportunities and it builds trust.”

Cavoukian is also the creator of Privacy by Design (PbD), an internationally recognized set of data protection guidelines that are included in the GDPR framework. She says the big data fish are likely to be the first targets for regulators, so if you’re a small- to medium-sized company (SME) you don’t need to panic, as long as you can show that you’re making progress towards compliance.

Proof of that is already evident with Facebook and Google coming under attack on the very first day that GDPR came into effect. Companies can face fines up to four per cent of their annual global turnover or 20 million euros (whichever is higher), for non-compliance.


Join the virtual classroom for the Introduction to Cybersecurity for CPAs course, which will help you delve deeper into the risks and challenges cybersecurity brings. Expand your knowledge further by learning about the essentials of online privacy and security and find out how the latest technology is affecting CPA’s across all sectors.