Compliance Framework

GDPR Compliance

The EU General Data Protection Regulation governs personal data of people in the EU and EEA, with fines up to EUR 20 million or 4 percent of global annual turnover, whichever is higher.

Talk to us about GDPR Security and Compliance

GDPR for Canadian startups · GDPR cost in CAD

Who needs GDPR

Any company offering goods or services to, or monitoring, people in the EU or EEA — regardless of where the company is based.

Key GDPR requirements

The core of what GDPR asks you to put in place.

  • A lawful basis for every processing activity
  • Data subject rights: access, erasure, portability, and objection
  • Records of processing and, where required, Data Protection Impact Assessments
  • Data Processing Agreements with processors and lawful international transfers
  • Breach notification to the supervisory authority, generally within 72 hours
  • Privacy by design and, where required, a Data Protection Officer

Typical timeline

GDPR is ongoing law, not a one-time audit. A readiness program to map data, fix lawful bases, and stand up rights-handling commonly runs a few months, then operates continuously.

How we help with GDPR

We map your data flows, establish lawful bases and Data Processing Agreements, build data-subject-rights and breach workflows, and align your privacy program — often together with PIPEDA and Quebec Law 25 for Canadian companies selling into Europe.

See Security and Compliance, or compare estimated GDPR cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.

Start the GDPR readiness →

GDPR questions

Does GDPR apply to a company outside the EU?

Yes. If you offer goods or services to, or monitor the behaviour of, people in the EU or EEA, GDPR can apply regardless of where you are based.

What are the maximum GDPR fines?

Up to EUR 20 million or 4 percent of total worldwide annual turnover, whichever is higher.

What is the breach notification deadline?

Notifiable breaches must generally be reported to the supervisory authority within 72 hours of becoming aware.

Do we need a Data Protection Officer?

Only in specific cases, such as large-scale monitoring or processing of special-category data, but many organizations appoint one voluntarily.

How does GDPR relate to Canadian privacy law?

GDPR is stricter than PIPEDA in places. A Canadian company selling into the EU usually aligns PIPEDA, Quebec Law 25, and GDPR together.

Move on GDPR with a team that has done it

Book a free discovery call. We will tell you whether GDPR fits, what it would take, and roughly what it would cost.

Book a call Contact us