In the news yesterday was this - UK issues first-ever GDPR notice in connection to Facebook data scandal - which was particularly interesting because of the subtitle; "Canadian firm AggregateIQ, linked to the Facebook & Cambridge Analytica data scandal, is the first to be put on notice."
In particular, "The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing."
There have been many questions asked about whether the GDPR can be enforced in Canada. In this respect, the article continues that if AggregateIQ does not comply with the enforcement notice to the satisfaction of the Information Commissioner's Office, that it may be subject to the financial penalties imposed by GDPR, assuming the EU's GDPR reach successfully extends beyond its own borders.
The last part of the last sentence is the crunch, and is what makes this a really interesting case to watch for all Canadian organizations processing data involving EU data subjects.