By: Drew M. Smith
On May 25th, after a two-year transitional period, the European Union will enforce the General Data Protection Regulation (GDPR) on all its member states. Its fundamental core is to bring data protection into the digital age and protect consumers in the EU from being monitored.
This piece of legislation came about as fear of data loss increases across Europe. This legislation, passed in 2016, updated their privacy laws. Corporations now must meet a certain standard in protecting consumer privacy and protection. However, that standard is much higher than most companies expected and it is also much higher than in the U.S. This has led many companies to scramble to put together a plan to protect this information. The infrastructure, the personnel required and the training will cost companies hundreds of millions of dollars to meet this.1
GDPR is an evolution of a previous data law that was passed over 20 years ago. In the wake of multiple breaches across the continent, many people were concerned about the loss of their personal data. This new regulation only covers their personal data, or what the U.S. calls Personal Identifiable Information (PII). It also requires the following:
- Privacy By Design: The regulation formalizes the right for a person to withhold their PII, requiring consent before its used or obtained.
- Data Protection Impact Assessments: When certain data is processed, companies must assess privacy risk.
- Right to Erasure and To Be Forgotten: There’s been a long-standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten.”
- Extraterritorially: The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
- Breach Notification: Any breaches must be reported to a consumer within 72 hours.
- Fines: The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PBD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.2
There is a monetary incentive to adapting to this new regulation. Most people will not want to work with a company that’s had a recent breach. According to one report, “Seventy-two percent of US respondents said they would boycott a company that appeared to disregard the protection of their data. Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously.”
A key point to this legislation is that it affects any company doing business in the EU that concerns personal data, not just those based in the EU. That means international businesses must comply with the regulation, including those that don’t have a physical presence but works with personal data from Europe. As a result, many American and Asian companies might be hesitant to expand in the Union if they must abide by these rules. 68 Percent of U.S companies would be expected to spend between $1 Million to $10 million with another 9 percent being forced to shell out more than $10 million.
This regulation coming into effect should prompt people to look at their cyber coverage and their general liability coverage. With this regulation forcing companies to add additional security, programs concerning cyber liability should be updated to compensate for the changes. Always make sure data is secure with correct security patches and vigilant surveillance.
For more information about privacy risks and insuring them, click here.