On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect to protect identifiable data on European Union (EU) citizens in ways that the Data Protection Act of 1998 could not have foreseen. GDPR goes beyond just the EU, applying to all organizations across the world that collect personal information on an EU citizen.
”This is a very stringent set of security and data processing standards that protects the fundamental rights and freedoms of EU citizens’ personal privacy. The territorial scope of the regulation reaches far outside of the EU as it follows the data of its citizens, not where the data processing physically takes place,” said David Derigiotis, CIPP/US, Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox. “This will impact many organizations all over the world.”
Michael Schultz, Senior Cyber Liability Broker, Burns & Wilcox, added “The enactment of GDPR brings Cyber and Privacy Insurance to the forefront, in a world where so many companies collect large amounts of personally-identifiable information. The definition of what constitutes personal information is very broad including identifiers such as location data, name, physical and psychological characteristics, generic, economic, cultural, or social identifiers.
“Every business has a cyber exposure, and any business that has the potential to collect information on an EU citizen needs to be in compliance with GDPR,” Schultz added. Businesses in the United States that may be affected can include online retailers, subscription services, florists, hotels, other hospitality services, and many more.
Insurance Market Source consulted with Derigiotis and Schultz to provide key talking points for brokers and agents on GDPR and what this means for clients, as follows:
- GDPR is a national law that is applicable to all member states of the EU, affecting many organizations across the world that control or process data of their citizens.
- Violating GDPR can cost a business up to 4 percent of revenue – not profit – with a cap of EUR 20,000,000, or approximately USD 24,817,590 at today’s exchange rate.
- If a business has more than 250 employees, a Chief Privacy Officer is required to be appointed.
- When a data breach occurs, the supervisory authority must be notified within 72 hours. When the data breach is likely to result in high risk to the data subject, the organization must communicate that information without undue delay.
- GDPR forbids any data transfers to companies outside of the EU that do not have protection. This means that any vendors that a business shares data with needs to be GDPR-compliant.
- Transparency of data collected is very important. Businesses have to provide access to records on consumers if requested.
- Consumers should know who the business is sharing data with, and businesses need to give the right to opt-in for customers to share that information.
- Consumers also have “the right to be forgotten,” meaning that they can request certain records to be deleted at any time.
- Privacy protection must be implemented by system design and by default. A data minimization strategy should be applied only to collecting the information necessary to carry out a specific task or purpose.
- U.S.-based entities can self-certify under the EU-U.S. Privacy Shield Framework which offers a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. Information on how to self-certify can be found at https://www.privacyshield.gov.
“Many companies do not know what information they have,” said Schultz. “This can complicate the response times, and internal audits should occur so businesses know what information they have and where it is stored.”
Phishing, social engineering, and outdated systems can be contributors to losing sensitive information, and are all covered by Cyber and Privacy insurance. Brokers and agents should keep cybersecurity at the top of their annual conversations with all clients. To further prepare for GDPR, brokers can encourage clients to read a full breakdown from lawyers contributing to Bloomberg BNA here.