GDPR (General Data Protection Regulation) is a set of stringent data security, data privacy, and data governance requirements set to become global best practice

Myth: GDPR compliance concerns new rules for privacy and security only for businesses in the EU.


Fact: GDPR applies to organizations in Canada offering goods and services to EU natural persons, even if their operations are not physically in the EU.


Risks of non-compliance: The business risk of non-compliance is much more than financial - in the worst case, the maximum of $30 million or 4% of global revenue. There's also reputational risk involved in the case the EU could make against a non-compliant business; the international news exposure of a complaint made against a business by an EU natural person or even the EU state representing that natural person due to non-compliance can never be good for business. Then there's legal risk, which exists when a data subject sues a non-compliant business for damages caused by non-compliance, which in turn incurs even more reputational risk.  


Summary: GDPR is about data privacy by design, data security by design, and data governance by design across all data activities involving personal data. We're here to help.

The $15 million referred to in the video is the minimum maximum penalty in the case where the data processor or data controller fail to meet their obligations, whereas the maximum maximum penalty is 2% of global revenues. Note that this is a different penalty class than the penalty for non-compliance with the rights of the data subject (maximum of $30 million or 4% of global revenues). See GDPR Article 83 for more information.



Don't underestimate the effort required to be GDPR compliant. In our experience, updating your systems and processes to be able to comply with the rights of EU data subjects takes the most effort, followed by being able to fulfil the obligations of being a data controller or a data processor.


Record Keeping

GDPR requires data controllers and data processors to keep records of their GDPR compliance efforts. A positive side-effect of this is that the documentation also enables management to provide the Board with evidence of GDPR compliance, thereby enabling the board to better exercise its Duty of Care.


Data Protection Officer

In some instances, the GDPR requires an organization to have a Data Protection Officer, one of the responsibilities of which is to provide independent advisory services to the organization to ensure compliance. In this context, we offer external Data Protection Officer Services to our clients.



To objectively assess compliance levels, we assess your strengths an weaknesses in the context of the GDPR's 261 pages, 99 Articles and 173 Recitals. The assessments are customized; there is no "one size fits all" approach to GDPR compliance. E.g. the health data sections may be irrelevant if you're in banking.


Given this assessment, we help you prioritize your compliance efforts for maximum effect across three pillars; data privacy, data security, and data governance.


These assessments, perhaps performed quarterly, are exactly what the Board needs in their oversight role, using it to monitor work done and work that still needs to be done in their oversight role of ensuring GDPR compliance. 

Business Meeting


A Passion for Governance, Risk and Compliance


*Certification Number 1807810

  • LinkedIn Social Icon

GDPR Team Lead

Guy is a seasoned Governance, Risk and Compliance (GRC) professional with:


  • 18 years of risk management experience

  • 13 years of enterprise data governance experience 

  • 8 years of enterprise Information Technology governance experience

  • Compliance experience that includes BCBS239, BCBS265 and BCBS279

  • Rich industry experience in banking, retail, financial services and insurance

  • 3 years as CEO of a multinational retail financial services organization with 700 staff operating in 3 countries

  • 10 years of corporate governance experience as a board director in public and private companies, also serving on their audit, credit, risk, finance, governance and IT committees​​

He is also a published industry thought leader focusing on peer-reviewed journal articles on governance, risk, data and IT.

Contact us to learn more about becoming GDPR compliant, and about objectively measuring your level of GDPR compliance

We look forward to the opportunity of being of service to you

Suite 5700, 100 King St W, Toronto, ON M5X 1C7

905 334 4370

©2018 by Canadian GDPR Compliance