I go to a lot of conferences and trade shows, and for the last couple of years everybody has been talking about the GDPR. As a new immigrant to Canada, I was a bit upset that nobody seemed to be concerned about the Digital Privacy Act and the upgrade to PIPEDA that we were going to do. People were more worried about the effect of GDPR than our own legislation. They are probably right to have been worried because the GDPR is more draconian than ours, I believe.
In ours, you don't have to report by a specific time other than “as soon as possible, please”. There was talk of fines of up to $100,000, but I haven't actually seen it actually saying what you have to pay. At the end of day, it's about breaches of personal information; it's not about breaches in general, whereas GDPR, I think, covers both of them.