How GDPR Will Affect Multinationals

By Terri Mason-Benjamin | Published April 19, 2018

Multinationals that have some form of operations within the European Union (EU) will be majorly affected by the new General Data Protection Regulation, or "GDPR", making it not too much of a surprise that almost 40% of multinationals saw regulatory risk as one of the biggest rising risks in CNA's latest Risk and Confidence Survey.

The GDPR will introduce a single legal framework that applies across all EU member states, and will result in greater harmonisation which is likely to be a positive change, with a more consistent set of data protection compliance obligations from one EU member state to another. However there are other major changes that will also come with it.

In what will be a major upheaval to many multinationals there will be expanded territorial scope for the new Regulation. This means that many non-EU businesses that were not previously required to comply with the EU's Data Protection Directive will be required to comply with the GDPR, post implementation.

Non-EU data controllers and data processors will be subject to the GDPR if they either offer goods or services to data subjects in the EU, irrespective of whether payment is received. They will also be subject if they monitor data subjects' behaviour, insofar as their behaviour takes place within the EU.  The principles in the GDPR are not new – in fact they are present in most privacy laws around the world (including the EU's Data Protection Directive). The new requirement is that organisations are required to stand ready to demonstrate compliance on-demand.

Another way multinationals could be affected by the changes is in GDPR's increased enforcement powers. Currently, fines under national laws vary but are comparatively low, but the GDPR will significantly increase the maximum fines. The fines imposed could be up to 4% of annual worldwide turnover of the proceeding financial year or 20 million euros (whichever is greater).

But it's not all bad news for multinationals; under the Data Protection Directive, each national supervisory authority (SA) could exercise authority over businesses operating in its territory, but under the GDPR a business will be able to deal with a single SA as its lead supervisory authority across the EU. This lead SA will be responsible for all regulation of cross-border processing activities carried out by businesses in their jurisdiction.

Positive or negative, the GDPR will come into effect on 25th May 2018, and multinationals need to be prepared.

These findings come from the CNA Hardy Risk and Confidence Survey; for more insights download your copy at

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Terri Mason-Benjamin
Vice President, Marketing and Distribution

Terri is responsible for CNA’s Marketing, Communications, and Broker Distribution initiatives. She leads Canada’s distribution strategy, partner relationships, and brand awareness strategy to solidify CNA’s position as a leader in the Canadian market.


Terri joined CNA in 2018 as Assistant Vice President, Cyber & Professional Liability, bringing over 20 years of insurance experience through senior roles at various global insurance carriers and brokers. Terri is a strong leader with deep experience in new product development, broker relations, and business planning.


Terri attended York University in Toronto, is a certified Registered Professional Liability Underwriter (RPLU), and is currently working toward the Certified Information Privacy Professional designation.