GDPR


What marketers need to know

The General Data Protection Regulation (GDPR) regulates the processing by an individual or organization of personal data relating to individuals in the EU.

If you're a Canadian organization, you are subject to the GDPR if you:

  • Have an establishment or physical presence in the EU,
  • Offer goods or services to EU residents (even at no charge), or;
  • Intentionally monitor or profile behaviours of individuals in the EU.

There are also implications if you are a third-party processor of EU personal data.

Of particular importance to marketers is the expected ePrivacy Regulation (intended to replace the current ePrivacy Directive), a companion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.

As European legislators struggle to reach a consensus (the latest draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation may not occur until well into 2021.



In force since May 25, 2018, the GDPR was created for the purpose of strengthening and unifying privacy and data protection for all individuals in the EU.

Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world, as well as available guidance from designated supervisory authority(ies) in each country.

Canada's adequacy status under the GDPR ensures that data processed in accordance with the GDPR can be transferred from the EU to Canada without the additional data protection safeguards that have been put in place for some other countries. This status is subject to review by the EU every four years, and a decision on Canada's renewed adequacy status is expected soon.

Violators of the GDPR may be fined up to €20 million, or up to 4% of their annual worldwide turnover for the preceding financial year, whichever is greater.

The GDPR is enforced by the designated supervisory authority or "Data Protection Authority" in each member state. Although the GDPR is an EU-wide law, passed by the European Parliament, it's up to each of the member states to develop its own guidance around GDPR and enforce the application of the law within its territory.

Generally, you will deal with the supervisory authority(ies) in the EU Member State(s) where you are established. If you do not have an establishment in the EU, consult the following guidelines to identify your relevant supervisory authority(ies).

Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world. You should also consult available guidance from your designated supervisory authority(ies). 

For a full list of guidelines from the EDPB, see here.

Major Sponsors

  • BMO-800x450
  • CIBC-800x450
  • Microsoft-2023