How GDPR Will Affect Multinationals

Multinationals that have some form of operations within the European Union (EU) will be majorly affected by the new General Data Protection Regulation, or "GDPR", making it not too much of a surprise that almost 40% of multinationals saw regulatory risk as one of the biggest rising risks in CNA's latest Risk and Confidence Survey.

The GDPR will introduce a single legal framework that applies across all EU member states, and will result in greater harmonisation which is likely to be a positive change, with a more consistent set of data protection compliance obligations from one EU member state to another. However there are other major changes that will also come with it.

In what will be a major upheaval to many multinationals there will be expanded territorial scope for the new Regulation. This means that many non-EU businesses that were not previously required to comply with the EU's Data Protection Directive will be required to comply with the GDPR, post implementation.

Non-EU data controllers and data processors will be subject to the GDPR if they either offer goods or services to data subjects in the EU, irrespective of whether payment is received. They will also be subject if they monitor data subjects' behaviour, insofar as their behaviour takes place within the EU.  The principles in the GDPR are not new – in fact they are present in most privacy laws around the world (including the EU's Data Protection Directive). The new requirement is that organisations are required to stand ready to demonstrate compliance on-demand.

Another way multinationals could be affected by the changes is in GDPR's increased enforcement powers. Currently, fines under national laws vary but are comparatively low, but the GDPR will significantly increase the maximum fines. The fines imposed could be up to 4% of annual worldwide turnover of the proceeding financial year or 20 million euros (whichever is greater).

But it's not all bad news for multinationals; under the Data Protection Directive, each national supervisory authority (SA) could exercise authority over businesses operating in its territory, but under the GDPR a business will be able to deal with a single SA as its lead supervisory authority across the EU. This lead SA will be responsible for all regulation of cross-border processing activities carried out by businesses in their jurisdiction.

Positive or negative, the GDPR will come into effect on 25th May 2018, and multinationals need to be prepared.

These findings come from the CNA Hardy Risk and Confidence Survey; for more insights download your copy at www.cnahardy.com/pulse.