The European Union (“EU”) General Data Protection Regulation (the “GDPR”), which will come into force in May 2018, is a significant evolution in personal data protection laws, and is materially different in important respects from the Canadian Personal Information Protection and Electronic Documents Act and similar provincial laws. The GDPR is complicated and nuanced, with permitted variances among EU member states. The GDPR provides regulators with significant investigation and enforcement powers and the ability to impose potentially severe financial penalties for non-compliance.

The GDPR will apply to Canadian organizations that have an establishment in the EU or that collect or process, on their own behalf or on behalf of another organization (including a corporate affiliate), personal data (including employee data) of EU residents in connection with an offering of goods/services or to monitor EU residents’ behaviour. Compliance with Canadian personal information protection laws will not satisfy GDPR requirements. Consequently, preparing for compliance with the GDPR may require significant effort, time and expense, and may involve changes to business models and corporate structures. Canadian organizations should determine whether they will be subject to the GDPR, and obtain appropriate technical and legal advice for GDPR compliance.

Read more here.