GDPR compliance mistakes can expose Canadian businesses to enforcement action, especially when processing EU residents' data through ecommerce, SaaS platforms, or marketing automation. This guide identifies structural errors in consent mechanisms, data handling, and cross-border transfers that practitioners commonly overlook.
Many Canadian businesses assume GDPR only applies if they have a physical presence in the EU. The regulation's territorial scope is broader: it applies to any organization that offers goods or services to individuals in the EU, or monitors their behaviour, regardless of where the business is established. If your Ottawa-based SaaS company allows signups from France or Germany, you fall under GDPR. If your ecommerce site ships to Belgium or uses tracking pixels that follow EU visitors across the web, the regulation applies.
The practical trigger is not revenue threshold or transaction volume—it's the targeting of EU data subjects. Even a single newsletter subscription from someone in Ireland creates obligations. This scope catches Canadian businesses off guard because they think of privacy compliance in provincial terms, comparing PIPEDA to GDPR without recognizing that GDPR follows the data subject's location, not the controller's. Waiting until you have substantial EU revenue before addressing compliance is a structural mistake that leaves you exposed from the first EU visitor.
GDPR requires clear affirmative action for consent—pre-ticked boxes, implied consent from continued use of a site, or bundled consent that ties service access to non-essential data processing all fail this standard. The regulation demands unbundled, specific, informed, and freely given consent. Canadian businesses accustomed to PIPEDA's more flexible consent models often implement cookie banners that present a single Accept All button without an equally prominent Reject option, or that allow site navigation as implicit acceptance.
Granular consent controls must let users approve analytics separately from advertising cookies, and from functional cookies. The consent record itself must be timestamped and retained as proof. A common GDPR compliance error is deploying a banner that looks compliant—it has a privacy policy link, it mentions cookies—but functionally fails because it loads non-essential scripts before the user clicks anything, or because rejecting consent is buried in a settings submenu. The standard is binary: did the user take a clear action to agree, and could they reasonably withhold that agreement without losing access to the core service?
Legitimate interest is the most commonly misused lawful basis for processing. It requires a three-part test: is there a legitimate interest, is the processing necessary to achieve it, and do the individual's rights and freedoms override that interest? Many businesses skip the balancing test entirely and simply declare legitimate interest for any processing they find convenient—lead enrichment, behavioral profiling, sharing data with partners. The GDPR compliance pitfall here is treating legitimate interest as a catch-all fallback when consent is inconvenient.
Even when legitimate interest genuinely applies, you must document the balancing test and provide a clear opt-out mechanism at the point of data collection and in every subsequent communication. For Canadian businesses used to implied consent for business purposes under PIPEDA, this represents a material tightening. Legitimate interest works for narrow, expected uses like fraud prevention or delivering a requested service, but not for broad marketing activities or monetizing user data through third parties. The enforcement pattern shows that supervisory authorities scrutinize legitimate interest claims heavily, particularly when the processing involves tracking, profiling, or data sharing beyond what the user would reasonably expect.
Transferring personal data outside the EU requires a lawful transfer mechanism. The invalidation of Privacy Shield and subsequent Schrems II ruling means Canadian businesses cannot rely on self-certification. Standard Contractual Clauses are the primary mechanism, but they must be implemented correctly: both parties sign, the clauses match the current EU Commission template, and you conduct a transfer impact assessment to evaluate whether the destination country's laws might undermine the safeguards.
Many businesses sign Data Processing Agreements with SaaS vendors—email platforms, CRM systems, analytics tools—without verifying that those DPAs include valid SCCs or that the vendor has obtained an adequacy decision. Canada does not have an adequacy decision from the EU, so any data flowing from EU subjects to Canadian servers requires SCCs or derogations for specific situations. A common mistake is assuming that because a vendor is reputable or widely used, the transfer is automatically compliant. The obligation sits with you as the data controller to verify the mechanism is in place and legally sound. Processors that store data in AWS or Google Cloud regions must specify which regions, and those regions must be covered by appropriate safeguards.
GDPR grants individuals the right to access their data, receive it in a portable format, and request deletion under certain conditions. The regulation sets a one-month response deadline, extendable by two months in complex cases. Many organizations lack the technical infrastructure to fulfill these requests efficiently. When someone submits a Subject Access Request, you must provide all personal data you hold about them, the purposes of processing, the categories of recipients, and retention periods. This often means querying multiple databases, email archives, CRM notes, and third-party systems.
A structural GDPR compliance error is building systems that make data retrieval manual and labor-intensive. If your architecture spreads user data across disconnected platforms without a unified identifier, compiling a complete response becomes operationally difficult and slow. Similarly, deletion requests require you to erase data from backups and third-party processors, not just production databases. The right to erasure has exceptions—legitimate legal obligations, contractual necessity—but you must evaluate each request individually and document your reasoning. Blanket policies that ignore deletion requests or delay responses beyond 30 days without communicating an extension create clear compliance gaps and enforcement exposure.
GDPR mandates concise, transparent, intelligible, and easily accessible privacy information. Vague language like we may share data with partners or we retain information as long as necessary fails the specificity standard. You must name the categories of recipients, specify retention criteria or periods, and list the lawful basis for each processing activity. Canadian businesses often adapt privacy policies written for PIPEDA without recognizing that GDPR demands substantially more detail.
A common mistake is failing to disclose sub-processors. If you use a marketing automation platform that relies on cloud infrastructure providers or email delivery services, those entities must be named or at least described by category. Similarly, data retention must be tied to objective criteria—three years after account closure, duration of the contractual relationship plus applicable limitation periods—not left open-ended. The policy must also explain how users can exercise their rights, including contact details for the Data Protection Officer if you have one, or a responsible contact if you don't. Treating the privacy policy as a legal formality rather than an operational transparency document creates both compliance risk and user trust issues.
GDPR's accountability principle requires you to demonstrate compliance, not just claim it. This means maintaining a Record of Processing Activities, documenting lawful bases, retaining consent records, and logging data breaches. Many businesses avoid GDPR compliance mistakes in their customer-facing practices but fail on internal documentation. When a supervisory authority requests evidence of your compliance measures, you must produce records showing what data you process, why, under what legal basis, who has access, and how long you retain it.
Data Processing Impact Assessments are required for high-risk processing, particularly anything involving large-scale profiling, sensitive data, or systematic monitoring. Skipping DPIAs for activities like behavioral ad targeting or automated decision-making is a structural gap. Similarly, if you experience a data breach that poses a risk to individuals' rights and freedoms, you have 72 hours to notify the relevant supervisory authority. The notification must describe the nature of the breach, the approximate number of affected individuals, and the measures taken. Waiting to investigate fully before notifying, or treating the 72 hours as aspirational rather than mandatory, is a compliance error with direct enforcement consequences.
Yes, if you offer goods or services to individuals in the EU or monitor their behavior, GDPR applies regardless of where your business is located. The regulation follows the data subject, not the controller. A Montreal ecommerce site that ships to France or an Ottawa SaaS platform that accepts signups from Germany falls under GDPR. Physical presence is irrelevant; targeting EU residents triggers obligations.
Legitimate interest rarely applies to direct marketing for new customers. It requires a documented balancing test showing your interest doesn't override the individual's rights, and you must always provide a clear opt-out. For most email marketing, explicit consent is the appropriate lawful basis. Even if you claim legitimate interest, each message must include an unsubscribe mechanism, and you must honor opt-outs immediately.
You remain responsible as the data controller for ensuring lawful transfer mechanisms are in place. If a vendor processes EU personal data and doesn't offer SCCs or operate under an adequacy decision, you either need to find an alternative vendor or implement supplementary measures. Relying on a non-compliant vendor exposes you to enforcement action. Due diligence on data processing agreements is not optional.
You have one month from receipt of the request, extendable by two additional months if the request is complex or you receive multiple requests from the same individual. You must inform the requester of any extension within the first month and explain the reason. The clock starts when you receive a verifiable request, and delays beyond three months total violate the regulation.
A DPO is mandatory only if your core activities involve large-scale systematic monitoring or large-scale processing of sensitive data. Most Canadian businesses don't meet this threshold, but you still need a designated contact for privacy inquiries and supervisory authority communication. Even without a formal DPO, someone must own GDPR compliance and be reachable by data subjects exercising their rights.
Assess whether the breach poses a risk to individuals' rights and freedoms. If it does, you must notify the relevant EU supervisory authority within 72 hours. The notification should describe the breach, affected data, likely consequences, and mitigation measures. If the risk is high, you must also notify affected individuals directly without undue delay. Document the breach and your response even if notification isn't required, as you must demonstrate accountability.