How to Change Your Organisation’s Behaviours and Compliance for GDPR

By Terri Mason-Benjamin | Published May 07, 2018

While many of the GDPR's predecessor the Data Protection Directive's core principles and obligations remain unchanged under the GDPR, it does impose new and additional requirements. A new cornerstone of the GDPR is the obligation to not only comply with, but to also demonstrate this compliance.

Meeting the accountability requirements will mean doing more than just establishing data protection policies and procedures, these changes need to be embedded in an organisation's culture. Staff will need to be educated on changes that are happening, including what the changes are and why they are happening, and be trained on new processes

Accountability will require organisations to be able to demonstrate compliance with the GDPR by showing the supervisory authority how an organisation complies on an on-going basis. This means that processes will have to be reviewed regularly, and staff should be offered support as they adapt to the new framework.

It is not an organisation that changes, it is individuals, and for an organisation to implement effective change enough individuals need to act on it. For the changes GDPR brings to be made a permanent part of an organisation's culture reinforcement should also be offered; staff should be thanked for their efforts if the new processes are implemented, but if they don't this should not be ignored.

Evidence of compliance should include internal policies and processes that comply with the GDPR requirements, but this in itself will not change staff behaviour. The effective implementation of the policies and processes needed into an organisation's activities will require staff to be managed and assisted through the implementation. There are plenty of change management systems, but whichever method chosen staff need to know what is changing, act on it, and continue to use the new systems and processes.

The obligation to demonstrate compliance replaces previous obligation to notify local data protection authorities of processing activities. The onus will be on continuous data protection that can only be implemented with thorough lasting behavioural changes within an organisation.

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Terri Mason-Benjamin
Vice President, Marketing and Distribution

Terri is responsible for CNA’s Marketing, Communications, and Broker Distribution initiatives. She leads Canada’s distribution strategy, partner relationships, and brand awareness strategy to solidify CNA’s position as a leader in the Canadian market.


Terri joined CNA in 2018 as Assistant Vice President, Cyber & Professional Liability, bringing over 20 years of insurance experience through senior roles at various global insurance carriers and brokers. Terri is a strong leader with deep experience in new product development, broker relations, and business planning.


Terri attended York University in Toronto, is a certified Registered Professional Liability Underwriter (RPLU), and is currently working toward the Certified Information Privacy Professional designation.