Canadian companies who are gearing up for the May 25, 2018, General Data Protection Regulation (GDPR) should begin to consider whether the GDPR applies to their data processing activities in Canada. It is also important for companies to assess the extent to which the GDPR applies to them. For example, the level of fines associated with violating certain articles will depend on the size of the organization, which specific provisions were contravened and a number of prescribed aggravating and/or mitigating factors. If its processing activities are large-scale, those companies will be required to designate a Data Protection Officer (DPO). And finally, companies should assess how GDPR requirements differ from their existing obligations under Canadian private sector privacy laws.