This is a frequent "reason" we have heard Canadian organizations cite for not pursuing GDPR compliance. However, Article 50 of the GDPR indicates how it will be enforced outside the EU:
In relation to third countries and international organisations, the Commission and supervisory authorities shall take steps to:
develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
Canada and the EU have very strong inter-jurisdictional relationships, and the relationship between the Office of the Privacy Commissioner of Canada and EU Privacy Commissioner(s) are sure to strengthen. Furthermore, federal privacy laws are also expected to catch up to the standard set by GDPR within the next five years.
While these issues sort themselves out, the question is whether it is worth up to a minimum of a $30 million penalty (or 4% of global revenues, whichever is the larger) plus the reputational risk you will incur if you've got it wrong?
GDPR compliance, which is plain, good business sense in all of our best interests, costs but a fraction of the financial, reputation and even legal risk of choosing to ignore it. While there might be some "relief" in the short term, over the medium to long term, the certainty surrounding the financial enforcement of penalties will be dramatically different