The EU General Data Protection Regulation governs personal data of people in the EU and EEA, with fines up to EUR 20 million or 4 percent of global annual turnover, whichever is higher.
Any company offering goods or services to, or monitoring, people in the EU or EEA — regardless of where the company is based.
The core of what GDPR asks you to put in place.
GDPR is ongoing law, not a one-time audit. A readiness program to map data, fix lawful bases, and stand up rights-handling commonly runs a few months, then operates continuously.
We map your data flows, establish lawful bases and Data Processing Agreements, build data-subject-rights and breach workflows, and align your privacy program — often together with PIPEDA and Quebec Law 25 for Canadian companies selling into Europe.
See Security and Compliance, or compare estimated GDPR cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
Yes. If you offer goods or services to, or monitor the behaviour of, people in the EU or EEA, GDPR can apply regardless of where you are based.
Up to EUR 20 million or 4 percent of total worldwide annual turnover, whichever is higher.
Notifiable breaches must generally be reported to the supervisory authority within 72 hours of becoming aware.
Only in specific cases, such as large-scale monitoring or processing of special-category data, but many organizations appoint one voluntarily.
GDPR is stricter than PIPEDA in places. A Canadian company selling into the EU usually aligns PIPEDA, Quebec Law 25, and GDPR together.
Book a free discovery call. We will tell you whether GDPR fits, what it would take, and roughly what it would cost.