By Sara Skirvin, Hylant Executive Risk Practice
An important change in data privacy regulation was approved and adopted by European Union (EU) Parliament in April 2016 that replaces the Data Protection Directive 95/46/EC. The EU General Data Protection Regulation (GDPR) enforcement date is May 25, 2018, at which time organizations must be in compliance with all elements of the rule.
The primary objective of the GDPR is to provide EU citizens with control of their personal data and to simplify the regulatory environment. The rule will serve to protect personal data, including customer lists, contact details, genetic/biometric data, photos, posts on social networking websites and online identifiers like computer IP addresses.
The GDPR applies to any organization located within the EU that controls or processes data about EU residents. Additionally, the GDPR has expanded its territorial scope and will apply to processing carried out by organizations operating outside of the EU that offer goods and services or that monitor the behavior of EU citizens.
The specific requirements of the EU GDPR look similar to privacy best practices and procedures. However, the regulation is challenging given the stringent, precise documentation that is now being required. This includes demonstrating how the data is being handled and why, including the analysis that was conducted that led the organization to its conclusion. These rules will ultimately lead organizations to limit the amount of data collected, and the requirements suggest that a company should only collect data that is needed to fulfill specific purposes.
Organizations will be required to conduct privacy risk-impact assessments and implement steps to minimize their risk. Additionally, organizations which process large amounts of data—or specialized data—must also appoint a data protection officer.
Though the EU GDPR now offers one collective set of rules to comply with, organizations should be prepared for increased regulation, obligations and high potential penalties for breaches in the law. The potential fine that can be assessed against companies that breach the rule is up to 4% of annual global turnover (revenue) or up to EUR 20M (whichever is highest).
If an organization is required to comply with the EU GDPR and it is relying on its cyber policy to provide assistance with a potential breach of the rule, it is important to ensure the policy is appropriately customized for its exposure. Below are a few insurance concerns for an EU GDPR-compliant organization:
- Ensure the policy offers specific affirmative coverage for investigating and defending your position against regulatory fines and penalties. Pay attention to any sub-limits. Some organizations should seek a full policy limit, depending on their exposure.
- Organizations need to ensure their processes for collecting data are in line with the requirements demanded by the GDPR, as some cyber policies exclude wrongful or unlawful collection of data.
- The coverage provided by cyber policies is triggered by a loss, as defined by each coverage section. Organizations should pay particular attention to ensure that “collection of data” is included within these insurance clauses.
- Often, the forensic costs/investigations coverage is sub-limited. However, given the narrowed breach notification window and the needed facts to be disclosed, organizations should seek full policy limits wherever possible.
If you have questions about how the GDPR could impact your company, contact a Hylant Executive Risk team member.